On 29.02.2016 16:19, Benjamin Poirier wrote:
On 2016/02/29 15:57, Daniel Borkmann wrote:
[...]
[ cutting the IPv4 part off as diff is the same ]
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 5ee56d0..c157edc 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1574,9 +1574,9 @@ static struct sk_buff *mld_newpack(struct inet6_dev
*idev, unsigned int mtu)
return NULL;
skb->priority = TC_PRIO_CONTROL;
- skb->reserved_tailroom = skb_end_offset(skb) -
- min(mtu, skb_end_offset(skb));
skb_reserve(skb, hlen);
+ skb->reserved_tailroom = skb_tailroom(skb) -
+ min_t(int, mtu, skb_tailroom(skb) - tlen);
Are you sure this is correct? Wouldn't that mean (assuming we allocated
enough space), that I could now fill a larger than MTU frame?
Quoting back a part of the log:
The maximum space available for ip headers and payload without
fragmentation is min(mtu, data + extra). Therefore,
reserved_tailroom
= data + extra + tlen - min(mtu, data + extra)
= skb_end_offset - hlen - min(mtu, skb_end_offset - hlen - tlen)
= skb_tailroom - min(mtu, skb_tailroom - tlen) ; after skb_reserve(hlen)
The min() takes care of the situation you describe, ie. if the allocated
space is large, reserved_tailroom will be large enough that we do not
use more space than the mtu.
I tested the mld and igmp code with different driver parameters, mtu
values, number of multicast address records and even allocation
failures. If you think the formula is wrong, please provide a
counter-example with hlen, tlen, mtu and size values.
I think the code is fine albeit I think we should remove the min macro
and just do something:
if (skb_tailroom(skb) > mtu)
skb->reserved_tailroom = skb_tailroom(skb) - mtu;
Does that make sense? I think it is much more readable.
Thanks,
Hannes