WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when

To: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Subject: [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
From: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
Date: Thu, 26 Aug 2010 09:55:41 +0100
Cc: Jeremy Fitzhardinge <jeremy@xxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, "netdev@xxxxxxxxxxxxxxx" <netdev@xxxxxxxxxxxxxxx>, "bugzilla-daemon@xxxxxxxxxxxxxxxxxxx" <bugzilla-daemon@xxxxxxxxxxxxxxxxxxx>, Chapman <jchapman@xxxxxxxxxxx>, Chris Wright <chrisw@xxxxxxxxxxxx>, "bugme-daemon@xxxxxxxxxxxxxxxxxxx" <bugme-daemon@xxxxxxxxxxxxxxxxxxx>, James, "heil@xxxxxxxxxxxxxxxxxxxxxx" <heil@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, David Miller <davem@xxxxxxxxxxxxx>
Delivery-date: Thu, 26 Aug 2010 01:56:26 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1282811683.2476.133.camel@edumazet-laptop>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Organization: Citrix Systems, Inc.
References: <bug-16529-10286@xxxxxxxxxxxxxxxxxxxxxxxxx/> <20100825153107.2f547f0e.akpm@xxxxxxxxxxxxxxxxxxxx> <4C759F8C.9050301@xxxxxxxx> <1282806640.3469.26.camel@xxxxxxxxxxxxxxxxxxxxx> <1282809788.2476.59.camel@edumazet-laptop> <1282810448.12544.3200.camel@xxxxxxxxxxxxxxxxxxxxxx> <1282811683.2476.133.camel@edumazet-laptop>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Thu, 2010-08-26 at 09:34 +0100, Eric Dumazet wrote:
> Le jeudi 26 août 2010 à 09:14 +0100, Ian Campbell a écrit :
> > On Thu, 2010-08-26 at 09:03 +0100, Eric Dumazet wrote:
> > > Here is the patch, could you test it please ?
> > > 
> > > Thanks !
> > > 
> > > [PATCH] l2tp: test for malicious frames in l2tp_eth_dev_recv()
> > > 
> > > close https://bugzilla.kernel.org/show_bug.cgi?id=16529
> > > 
> > > Before calling dev_forward_skb(), we should make sure skb contains at
> > > least an ethernet header, even if length included in upper layer said
> > > so.
> > 
> > Does this imply that there is some problem with xen-netfront setting
> > skb->len or skb->data_len or something incorrectly? It's not clear where
> > data_len has come from in this context.
> 
> data_len is a 16bit field provided in a prior encapsulation header,
> provided by user (untrusted source)
> 
> Some buggy or malicious software sent an invalid frame,
> 
> 
> < encapsulation [len=1000] >  < 'runt' eth frame (len<14) > 
> 
> Another fix would be to change l2tp_recv_dequeue_skb(), and check
> 
> L2TP_SKB_CB(skb)->length against skb->len, before calling 
> 
> (*session->recv_skb)(session, skb, length);
> 
> 
> I prefer the one liner patch I sent you, as a minimum fix.

Thanks, I just wanted to be sure we weren't papering over a potential
issue in xen-netfront.

Ian.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel