From 808c4646efc7dcae45630542c0e123ec02139600 Mon Sep 17 00:00:00 2001 From: "Anand H. Krishnan" Date: Thu, 27 Apr 2017 12:07:55 +0530 Subject: [PATCH] Memset the control block to zeroes before calling skb_segment skb_segment casts part of skb->cb to some structure to determine tunnel header length. Having remnants of packet structure in cb results in wrong tunnel header length calculation and thus wrong memory copies to random memory locations. This problem is with newer kernels (4.x). Change-Id: Ifc2c7a4c5ea448cd57df88e51bb82a7f62c97cc6 Closes-Bug: #1685181 --- linux/vr_host_interface.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/linux/vr_host_interface.c b/linux/vr_host_interface.c index 458ff37e8..2fa1a753b 100644 --- a/linux/vr_host_interface.c +++ b/linux/vr_host_interface.c @@ -224,10 +224,6 @@ linux_if_rx(struct vr_interface *vif, struct vr_packet *pkt) return RX_HANDLER_CONSUMED; } -struct vrouter_gso_cb { - void (*destructor)(struct sk_buff *skb); -}; - static long linux_inet_fragment(struct vr_interface *vif, struct sk_buff *skb, unsigned short type) @@ -298,7 +294,7 @@ linux_inet_fragment(struct vr_interface *vif, struct sk_buff *skb, * * and hence access to packet structure beyond this point is suicidal */ - memset(skb->cb, 0, sizeof(struct vrouter_gso_cb)); + memset(skb->cb, 0, sizeof(skb->cb)); segs = skb_segment(skb, features); if (IS_ERR(segs)) return PTR_ERR(segs);