The commit dbd50f238dec ("net: move the hsize check to the else
block in skb_segment") introduced a data corruption for devices
supporting scatter-gather.
The problem boils down to signed/unsigned comparison given
unexpected results: if signed 'hsize' is negative, it will be
considered greater than a positive 'len', which is unsigned.
This commit addresses the issue explicitly casting 'len' to a
signed integer, so that the comparison gives the correct result.
Bisected-by: Matthieu Baerts <matthieu.bae...@tessares.net>
Fixes: dbd50f238dec ("net: move the hsize check to the else block in
skb_segment")
Signed-off-by: Paolo Abeni <pab...@redhat.com>
---
note: a possible more readable alternative would be moving the
if (hsize < 0)
before 'if (hsize > len)', but that was explicitly discouraged
in a previous iteration of the blamed commit to save a comparison,
so I opted to preserve that optimization.
---
net/core/skbuff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index e835193cabcc3..27f69c0bd8393 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3938,7 +3938,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
skb_release_head_state(nskb);
__skb_push(nskb, doffset);
} else {
- if (hsize > len || !sg)
+ if (hsize > (int)len || !sg)
hsize = len;
else if (hsize < 0)
hsize = 0;
--
2.26.2
