Basically the bug occurs because the skb->tail pointer is set past the end
of the skb data buffer. This causes problems when the skb's are cloned
(they are unabled to be freed properly). The result is a leak that
eventually will stop the system.
Mike Phillips
Linux Token Ring Project
http://www.linuxtr.net
--- linux.orig/drivers/net/tokenring/ibmtr.c Wed Feb 14 16:49:55 2001
+++ linux/drivers/net/tokenring/ibmtr.c Wed Feb 14 16:50:01 2001
@@ -1716,7 +1716,8 @@
}
#endif
- skb_size = length;
+ skb_size=(sizeof(struct trh_hdr)-lan_hdr_len+sizeof(struct
trllc)+15) & ~15;
+ skb_size+=length;
if (!(skb=dev_alloc_skb(skb_size))) {
DPRINTK("out of memory. frame dropped.\n");
@@ -1727,8 +1728,8 @@
return;
}
- skb_put(skb, length);
- skb_reserve(skb, sizeof(struct trh_hdr)-lan_hdr_len+sizeof(struct
trllc));
+ skb_reserve(skb, (sizeof(struct trh_hdr)-lan_hdr_len+sizeof(struct
trllc)+15) & ~15);
+ skb_put(skb,length);
skb->dev=dev;
data=skb->data;
rbuffer_len=ntohs(isa_readw(rbuffer + offsetof(struct rec_buf,
buf_len)));
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/