net: skb_condense() can also deal with empty skbs

It seems attackers can also send UDP packets with no payload at all.

skb_condense() can still be a win in this case.

It will be possible to replace the custom code in tcp_add_backlog()
to get full benefit from skb_condense()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 84151cf40aebb973bad5bee3ee4be0758084d83c..65a74e13c45bb879859b6c03771e4a266688063e 100644 (file)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4946,16 +4946,20 @@ EXPORT_SYMBOL(pskb_extract);
  */
 void skb_condense(struct sk_buff *skb)
 {
-       if (!skb->data_len ||
-           skb->data_len > skb->end - skb->tail ||
-           skb_cloned(skb))
-               return;
-
-       /* Nice, we can free page frag(s) right now */
-       __pskb_pull_tail(skb, skb->data_len);
+       if (skb->data_len) {
+               if (skb->data_len > skb->end - skb->tail ||
+                   skb_cloned(skb))
+                       return;
 
-       /* Now adjust skb->truesize, since __pskb_pull_tail() does
-        * not do this.
+               /* Nice, we can free page frag(s) right now */
+               __pskb_pull_tail(skb, skb->data_len);
+       }
+       /* At this point, skb->truesize might be over estimated,
+        * because skb had a fragment, and fragments do not tell
+        * their truesize.
+        * When we pulled its content into skb->head, fragment
+        * was freed, but __pskb_pull_tail() could not possibly
+        * adjust skb->truesize, not knowing the frag truesize.
         */
        skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
 }