ndisc: Calculate message body length and option length separately.
authorYOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Mon, 21 Jan 2013 06:48:49 +0000 (06:48 +0000)
committerDavid S. Miller <davem@davemloft.net>
Mon, 21 Jan 2013 18:33:16 +0000 (13:33 -0500)
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ndisc.c

index 62b1415bec25b0ec900f309f4e02f112a29413d3..c2b16ffeb1a8ac56f96352de55e41aee442b405d 100644 (file)
@@ -426,6 +426,7 @@ static struct sk_buff *ndisc_build_skb(struct net_device *dev,
        struct sk_buff *skb;
        struct icmp6hdr *hdr;
        int len;
+       int optlen = 0;
        u8 *opt;
 
        if (!dev->addr_len)
@@ -433,13 +434,13 @@ static struct sk_buff *ndisc_build_skb(struct net_device *dev,
 
        len = sizeof(struct icmp6hdr) + (target ? sizeof(*target) : 0);
        if (llinfo)
-               len += ndisc_opt_addr_space(dev);
+               optlen += ndisc_opt_addr_space(dev);
 
-       skb = ndisc_alloc_skb(dev, len);
+       skb = ndisc_alloc_skb(dev, len + optlen);
        if (!skb)
                return NULL;
 
-       skb_put(skb, len);
+       skb_put(skb, len + optlen);
 
        hdr = (struct icmp6hdr *)skb_transport_header(skb);
        memcpy(hdr, icmp6h, sizeof(*hdr));
@@ -1396,7 +1397,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
        struct net_device *dev = skb->dev;
        struct net *net = dev_net(dev);
        struct sock *sk = net->ipv6.ndisc_sk;
-       int len = sizeof(struct rd_msg);
+       int optlen = 0;
        struct inet_peer *peer;
        struct sk_buff *buff;
        struct rd_msg *msg;
@@ -1463,7 +1464,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
                        memcpy(ha_buf, neigh->ha, dev->addr_len);
                        read_unlock_bh(&neigh->lock);
                        ha = ha_buf;
-                       len += ndisc_opt_addr_space(dev);
+                       optlen += ndisc_opt_addr_space(dev);
                } else
                        read_unlock_bh(&neigh->lock);
 
@@ -1471,15 +1472,16 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
        }
 
        rd_len = min_t(unsigned int,
-                    IPV6_MIN_MTU-sizeof(struct ipv6hdr)-len, skb->len + 8);
+                      IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(*msg) - optlen,
+                      skb->len + 8);
        rd_len &= ~0x7;
-       len += rd_len;
+       optlen += rd_len;
 
-       buff = ndisc_alloc_skb(dev, len);
+       buff = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
        if (!buff)
                goto release;
 
-       skb_put(buff, len);
+       skb_put(buff, sizeof(*msg) + optlen);
        msg = (struct rd_msg *)icmp6_hdr(buff);
 
        memset(&msg->icmph, 0, sizeof(struct icmp6hdr));