From 3174fed9820edc95cff74ad0934c3240c7fb5115 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Fri, 9 Dec 2016 08:02:05 -0800 Subject: [PATCH] net: skb_condense() can also deal with empty skbs It seems attackers can also send UDP packets with no payload at all. skb_condense() can still be a win in this case. It will be possible to replace the custom code in tcp_add_backlog() to get full benefit from skb_condense() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- net/core/skbuff.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 84151cf40aeb..65a74e13c45b 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4946,16 +4946,20 @@ EXPORT_SYMBOL(pskb_extract); */ void skb_condense(struct sk_buff *skb) { - if (!skb->data_len || - skb->data_len > skb->end - skb->tail || - skb_cloned(skb)) - return; + if (skb->data_len) { + if (skb->data_len > skb->end - skb->tail || + skb_cloned(skb)) + return; - /* Nice, we can free page frag(s) right now */ - __pskb_pull_tail(skb, skb->data_len); - - /* Now adjust skb->truesize, since __pskb_pull_tail() does - * not do this. + /* Nice, we can free page frag(s) right now */ + __pskb_pull_tail(skb, skb->data_len); + } + /* At this point, skb->truesize might be over estimated, + * because skb had a fragment, and fragments do not tell + * their truesize. + * When we pulled its content into skb->head, fragment + * was freed, but __pskb_pull_tail() could not possibly + * adjust skb->truesize, not knowing the frag truesize. */ skb->truesize = SKB_TRUESIZE(skb_end_offset(skb)); }