Commit 99941754 authored by Jon Paul Maloy's avatar Jon Paul Maloy Committed by David S. Miller
Browse files

tipc: clear 'next'-pointer of message fragments before reassembly 



If the 'next' pointer of the last fragment buffer in a message is not
zeroed before reassembly, we risk ending up with a corrupt message,
since the reassembly function itself isn't doing this.

Currently, when a buffer is retrieved from the deferred queue of the
broadcast link, the next pointer is not cleared, with the result as
described above.

This commit corrects this, and thereby fixes a bug that may occur when
long broadcast messages are transmitted across dual interfaces. The bug
has been present since 40ba3cdf ("tipc:
message reassembly using fragment chain")

This commit should be applied to both net and net-next.

Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a91d45f1

net/tipc/bcast.c

+1 −0
Original line number Diff line number Diff line
@@ -559,6 +559,7 @@ receive: 


		buf = node->bclink.deferred_head;

		node->bclink.deferred_head = buf->next;

		buf->next = NULL;

		node->bclink.deferred_size--;

		goto receive;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE