diff options
| author | David S. Miller <davem@davemloft.net> | 2015-10-24 06:54:12 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-10-24 06:54:12 -0700 |
| commit | ba3e2084f268bdfed7627046e58a2218037e15af (patch) | |
| tree | 36b99da43ee72f81b31f0627dbfc69f50c97378f /net/ipv6/ip6_output.c | |
| parent | a72c9512bf2bef12c5e66a4d910c4b348fe31d61 (diff) | |
| parent | ce9d9b8e5c2b7486edf76958bcdb5e6534a915b0 (diff) | |
| download | linux-ba3e2084f268bdfed7627046e58a2218037e15af.tar.gz | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Conflicts: net/ipv6/xfrm6_output.c net/openvswitch/flow_netlink.c net/openvswitch/vport-gre.c net/openvswitch/vport-vxlan.c net/openvswitch/vport.c net/openvswitch/vport.h The openvswitch conflicts were overlapping changes. One was the egress tunnel info fix in 'net' and the other was the vport ->send() op simplification in 'net-next'. The xfrm6_output.c conflicts was also a simplification overlapping a bug fix. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ip6_output.c')
| -rw-r--r-- | net/ipv6/ip6_output.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 0c89671e0767..c2650688aca7 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -28,6 +28,7 @@ #include <linux/errno.h> #include <linux/kernel.h> +#include <linux/overflow-arith.h> #include <linux/string.h> #include <linux/socket.h> #include <linux/net.h> @@ -596,7 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, if (np->frag_size) mtu = np->frag_size; } - mtu -= hlen + sizeof(struct frag_hdr); + + if (overflow_usub(mtu, hlen + sizeof(struct frag_hdr), &mtu) || + mtu <= 7) + goto fail_toobig; frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr, &ipv6_hdr(skb)->saddr); |