From 3fbe0e1ff87a2c4751cec45a442e03ee16f2eb55 Mon Sep 17 00:00:00 2001 From: "Anand H. Krishnan" Date: Thu, 27 Apr 2017 12:07:55 +0530 Subject: [PATCH] Memset the control block to zeroes before calling skb_segment skb_segment casts part of skb->cb to some structure to determine tunnel header length. Having remnants of packet structure in cb results in wrong tunnel header length calculation and thus wrong memory copies to random memory locations. This problem is with newer kernels (4.x). Change-Id: Ifc2c7a4c5ea448cd57df88e51bb82a7f62c97cc6 Closes-Bug: #1685181 --- linux/vr_host_interface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/vr_host_interface.c b/linux/vr_host_interface.c index 01c0dae1a..7162e2a6e 100644 --- a/linux/vr_host_interface.c +++ b/linux/vr_host_interface.c @@ -306,7 +306,7 @@ linux_inet_fragment(struct vr_interface *vif, struct sk_buff *skb, * * and hence access to packet structure beyond this point is suicidal */ - memset(skb->cb, 0, sizeof(struct vrouter_gso_cb)); + memset(skb->cb, 0, sizeof(skb->cb)); segs = skb_segment(skb, features); if (IS_ERR(segs)) return PTR_ERR(segs);