Memset the control block to zeroes before calling skb_segment

skb_segment casts part of skb->cb to some structure to determine tunnel header length. Having remnants of packet structure in cb results in wrong tunnel header length calculation and thus wrong memory copies to random memory locations. This problem is with newer kernels (4.x). Change-Id: Ifc2c7a4c5ea448cd57df88e51bb82a7f62c97cc6 Closes-Bug: #1685181
Juniper · May 5, 2017 · 3fbe0e1 · 3fbe0e1
1 parent c719e06
commit 3fbe0e1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/linux/vr_host_interface.c b/linux/vr_host_interface.c
@@ -306,7 +306,7 @@ linux_inet_fragment(struct vr_interface *vif, struct sk_buff *skb,
      *
      * and hence access to packet structure beyond this point is suicidal
      */
-    memset(skb->cb, 0, sizeof(struct vrouter_gso_cb));
+    memset(skb->cb, 0, sizeof(skb->cb));
     segs = skb_segment(skb, features);
     if (IS_ERR(segs))
         return PTR_ERR(segs);