WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when

To: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>, David Miller <davem@xxxxxxxxxxxxx>
Subject: [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
From: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Date: Thu, 26 Aug 2010 10:03:08 +0200
Cc: Jeremy Fitzhardinge <jeremy@xxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, "netdev@xxxxxxxxxxxxxxx" <netdev@xxxxxxxxxxxxxxx>, "bugzilla-daemon@xxxxxxxxxxxxxxxxxxx" <bugzilla-daemon@xxxxxxxxxxxxxxxxxxx>, James Chapman <jchapman@xxxxxxxxxxx>, Chris Wright <chrisw@xxxxxxxxxxxx>, "bugme-daemon@xxxxxxxxxxxxxxxxxxx" <bugme-daemon@xxxxxxxxxxxxxxxxxxx>, "heil@xxxxxxxxxxxxxxxxxxxxxx" <heil@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 26 Aug 2010 10:14:08 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=I6uGTomb2MeVmyG/YC1467PFMDdi5UzD0s6+TOj+J34=; b=vn4IPKLaX+rS9yw8ygbNtASZ1UImxqGl1ihoJwthK3TxT2e3EwUtxR3KigSCfJUwCK rCZheVAQVtzvGPrKz3i/Uc8msZHzZaY1Wb9oc5pHe5m/fzVqSZJ5c8m/ZNC/LAidLkDf 8r051xq1i76WlGXCLSyXZb+hOSvDga58+nG64=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=c20ESYleq0BqFMHHMxycocb7n5n0KGmaZ9OrvvbUQMSfXgA/NblbmGOkXCwsVgYFI7 uxqHsPnMtjOyMEUfdUth2bhTc5iGueUls4FFmZXvLoE20LxMwrn+20mwCSFtUUCbCB5I yEcn9eCTB1y11te/z4Ub117Ixtqlf6WAREz7k=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1282806640.3469.26.camel@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <bug-16529-10286@xxxxxxxxxxxxxxxxxxxxxxxxx/> <20100825153107.2f547f0e.akpm@xxxxxxxxxxxxxxxxxxxx> <4C759F8C.9050301@xxxxxxxx> <1282806640.3469.26.camel@xxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Here is the patch, could you test it please ?

Thanks !

[PATCH] l2tp: test for malicious frames in l2tp_eth_dev_recv()

close https://bugzilla.kernel.org/show_bug.cgi?id=16529

Before calling dev_forward_skb(), we should make sure skb contains at
least an ethernet header, even if length included in upper layer said
so.

Reported-by: Thomas Heil <heil@xxxxxxxxxxxxxxxxxxxxxx>
Reported-by: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
---
 net/l2tp/l2tp_core.c |    2 +-
 net/l2tp/l2tp_eth.c  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index 58c6c4c..0687c5c 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -132,7 +132,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, 
struct sk_buff *skb,
                printk("\n");
        }
 
-       if (data_len < ETH_HLEN)
+       if (skb->len < ETH_HLEN)
                goto error;
 
        secpath_reset(skb);



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel