Memset the control block to zeroes before calling skb_segment

skb_segment casts part of skb->cb to some structure to determine tunnel header length. Having remnants of packet structure in cb results in wrong tunnel header length calculation and thus wrong memory copies to random memory locations. This problem is with newer kernels (4.x). Change-Id: Ifc2c7a4c5ea448cd57df88e51bb82a7f62c97cc6 Closes-Bug: #1685181
Juniper · May 8, 2017 · 808c464 · 808c464
1 parent 5943f5a
commit 808c464
Showing 1 changed file with 1 addition and 5 deletions.
diff --git a/linux/vr_host_interface.c b/linux/vr_host_interface.c
@@ -224,10 +224,6 @@ linux_if_rx(struct vr_interface *vif, struct vr_packet *pkt)
     return RX_HANDLER_CONSUMED;
 }
 
-struct vrouter_gso_cb {
-    void (*destructor)(struct sk_buff *skb);
-};
-
 static long
 linux_inet_fragment(struct vr_interface *vif, struct sk_buff *skb,
         unsigned short type)
@@ -298,7 +294,7 @@ linux_inet_fragment(struct vr_interface *vif, struct sk_buff *skb,
      *
      * and hence access to packet structure beyond this point is suicidal
      */
-    memset(skb->cb, 0, sizeof(struct vrouter_gso_cb));
+    memset(skb->cb, 0, sizeof(skb->cb));
     segs = skb_segment(skb, features);
     if (IS_ERR(segs))
         return PTR_ERR(segs);