On Sonntag, 12. Februar 2017 11:26:33 CET Sven Eckelmann wrote:
The function batadv_frag_skb_buffer was supposed not to consume the skbuff on errors. This was followed in the helper function batadv_frag_insert_packet when the skb would potentially be inserted in the fragment queue. But it could happen that the next helper function batadv_frag_merge_packets would try to merge the fragments and fail. This results in a kfree_skb of all the enqueued fragments (including the just inserted one). batadv_recv_frag_packet would detect the error in batadv_frag_skb_buffer and try to free the skb again.
The behavior of batadv_frag_skb_buffer (and its helper batadv_frag_insert_packet) must therefore be changed to always consume the skbuff to have a common behavior and avoid the double kfree_skb.
Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge") Signed-off-by: Sven Eckelmann sven@narfation.org
Applied in e3bab02816097f860545d9ce9ae0808c69d7c92f [1].
Kind regards, Sven
[1] https://git.open-mesh.org/batman-adv.git/commit/e3bab02816097f860545d9ce9ae0...