On Wednesday, April 24, 2013 03:30:04 Antonio Quartulli wrote:
On Wed, Apr 24, 2013 at 03:17:26AM +0800, Marek Lindner wrote:
On Sunday, April 21, 2013 00:17:33 Martin Hundebøll wrote:
- /* Make room for the rest of the fragments. */
- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) {
kfree_skb(skb_out);goto free;- }
If pskb_expand_head() really fails this function will lead to a crash because skb_out points to undefined memory.
I'm not sure about this. pskb_expand_head() can only fail in the early phase and in that case it seems to return the original skb as it was.
I guess I did not make myself sufficiently clear: If pskb_expand_head() fails the skb is free'd with "kfree_skb(skb_out);" followed by a jump to "free" where the recently free'd buffer is returned ...
Btw, is pskb_expand_head() enough to handle all cases ? Did you try this with a large (4000 bytes or more) packet ?
I don't personally see any problem with this. But maybe I am overlooking something..however, proper testing will make everybody happy :P
Agreed. I wasn't sure there is a problem but wanted to know whether it was tested.
Cheers, Marek