• Jon Paul Maloy's avatar
    tipc: clear 'next'-pointer of message fragments before reassembly · 0515cc26
    Jon Paul Maloy authored
    [ Upstream commit 99941754 ]
    
    If the 'next' pointer of the last fragment buffer in a message is not
    zeroed before reassembly, we risk ending up with a corrupt message,
    since the reassembly function itself isn't doing this.
    
    Currently, when a buffer is retrieved from the deferred queue of the
    broadcast link, the next pointer is not cleared, with the result as
    described above.
    
    This commit corrects this, and thereby fixes a bug that may occur when
    long broadcast messages are transmitted across dual interfaces. The bug
    has been present since 40ba3cdf ("tipc:
    message reassembly using fragment chain")
    
    This commit should be applied to both net and net-next.
    Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    0515cc26
bcast.c 22.9 KB