Commit 348bbc25 authored by David S. Miller's avatar David S. Miller

sctp: Fix SKB list traversal in sctp_intl_store_reasm().

To be fully correct, an iterator has an undefined value when something
like skb_queue_walk() naturally terminates.

This will actually matter when SKB queues are converted over to
list_head.

Formalize what this code ends up doing with the current
implementation.
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9e733177
...@@ -140,7 +140,7 @@ static void sctp_intl_store_reasm(struct sctp_ulpq *ulpq, ...@@ -140,7 +140,7 @@ static void sctp_intl_store_reasm(struct sctp_ulpq *ulpq,
struct sctp_ulpevent *event) struct sctp_ulpevent *event)
{ {
struct sctp_ulpevent *cevent; struct sctp_ulpevent *cevent;
struct sk_buff *pos; struct sk_buff *pos, *loc;
pos = skb_peek_tail(&ulpq->reasm); pos = skb_peek_tail(&ulpq->reasm);
if (!pos) { if (!pos) {
...@@ -166,23 +166,30 @@ static void sctp_intl_store_reasm(struct sctp_ulpq *ulpq, ...@@ -166,23 +166,30 @@ static void sctp_intl_store_reasm(struct sctp_ulpq *ulpq,
return; return;
} }
loc = NULL;
skb_queue_walk(&ulpq->reasm, pos) { skb_queue_walk(&ulpq->reasm, pos) {
cevent = sctp_skb2event(pos); cevent = sctp_skb2event(pos);
if (event->stream < cevent->stream || if (event->stream < cevent->stream ||
(event->stream == cevent->stream && (event->stream == cevent->stream &&
MID_lt(event->mid, cevent->mid))) MID_lt(event->mid, cevent->mid))) {
loc = pos;
break; break;
}
if (event->stream == cevent->stream && if (event->stream == cevent->stream &&
event->mid == cevent->mid && event->mid == cevent->mid &&
!(cevent->msg_flags & SCTP_DATA_FIRST_FRAG) && !(cevent->msg_flags & SCTP_DATA_FIRST_FRAG) &&
(event->msg_flags & SCTP_DATA_FIRST_FRAG || (event->msg_flags & SCTP_DATA_FIRST_FRAG ||
event->fsn < cevent->fsn)) event->fsn < cevent->fsn)) {
loc = pos;
break; break;
} }
}
__skb_queue_before(&ulpq->reasm, pos, sctp_event2skb(event)); if (!loc)
__skb_queue_tail(&ulpq->reasm, sctp_event2skb(event));
else
__skb_queue_before(&ulpq->reasm, loc, sctp_event2skb(event));
} }
static struct sctp_ulpevent *sctp_intl_retrieve_partial( static struct sctp_ulpevent *sctp_intl_retrieve_partial(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment