Fix panic on consume in a mixed push/consume case

headerOffset() is incorrectly taking account of previous push(), so it thinks there is more data to consume. This change switches to use pk.reserved as pivot point. Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com PiperOrigin-RevId: 373846283
author: Ting-Yu Wang <anivia@google.com> 2021-05-14 12:47:26 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-05-14 12:49:25 -0700
commit: 436148d68a50e086ae7b967d6a190b3137e68ac8 (patch)
tree: 36b32d05b265532759c759d92a8d8099a9b6b970 /pkg/tcpip/stack/packet_buffer.go
parent: 78ae3db1a39c0cd925c6b75807fa1dc76ba99986 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/tcpip/stack/packet_buffer.go b/pkg/tcpip/stack/packet_buffer.go
index e2e073091..01652fbe7 100644
--- a/pkg/tcpip/stack/packet_buffer.go
+++ b/pkg/tcpip/stack/packet_buffer.go
@@ -261,7 +261,7 @@ func (pk *PacketBuffer) consume(typ headerType, size int) (v tcpipbuffer.View, c
 	if h.length > 0 {
 		panic(fmt.Sprintf("consume must not be called twice: type %s", typ))
 	}
-	if pk.headerOffset()+pk.consumed+size > int(pk.buf.Size()) {
+	if pk.reserved+pk.consumed+size > int(pk.buf.Size()) {
 		return nil, false
 	}
 	h.offset = pk.consumed
author	Ting-Yu Wang <anivia@google.com>	2021-05-14 12:47:26 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-05-14 12:49:25 -0700
commit	436148d68a50e086ae7b967d6a190b3137e68ac8 (patch)
tree	36b32d05b265532759c759d92a8d8099a9b6b970 /pkg/tcpip/stack/packet_buffer.go
parent	78ae3db1a39c0cd925c6b75807fa1dc76ba99986 (diff)