| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
[Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when
|
To: |
Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx> |
|
Subject: |
[Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3 |
|
From: |
Eric Dumazet <eric.dumazet@xxxxxxxxx> |
|
Date: |
Thu, 26 Aug 2010 10:34:43 +0200 |
|
Cc: |
Jeremy Fitzhardinge <jeremy@xxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, "netdev@xxxxxxxxxxxxxxx" <netdev@xxxxxxxxxxxxxxx>, "bugzilla-daemon@xxxxxxxxxxxxxxxxxxx" <bugzilla-daemon@xxxxxxxxxxxxxxxxxxx>, James Chapman <jchapman@xxxxxxxxxxx>, Chris Wright <chrisw@xxxxxxxxxxxx>, "bugme-daemon@xxxxxxxxxxxxxxxxxxx" <bugme-daemon@xxxxxxxxxxxxxxxxxxx>, "heil@xxxxxxxxxxxxxxxxxxxxxx" <heil@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, David Miller <davem@xxxxxxxxxxxxx> |
|
Delivery-date: |
Thu, 26 Aug 2010 10:44:14 -0700 |
|
Dkim-signature: |
v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=uvG44j4ewDRe12EsXdMVmM5ctemzVegChIDUn2W1A3A=; b=wd17+WPBinFjS2/vvbKKmepQdOiJb+u/MbaPFdwXXnDrMq5uVngK7yk+Fv+VCtTo3q bYItuiu+adF/xjd60aPM5/e3Px4C4dXhKfTkde8F+VIq1gLX7CCoLpfvqIta0dqfJ8hv imLDrpZD7oqXDo4rY15iqU7Cqlj6jAuoX4A+4= |
|
Domainkey-signature: |
a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=ezTCED1PJRTYIjXJRiyLf++yRMzmwpZvGqlLBMU4kDZRc20a3tIkkQQNFDTvgz96U/ YAZai4fIRzlEx28NTSd+XNMw/yyJn8OlpmEqZqhxHCv9Ux39Qetev8LhFT7jQvkUPmMs EgW9G+mc99xSNE/3/1ouU6VK58o0LDjohY5Oc= |
|
Envelope-to: |
www-data@xxxxxxxxxxxxxxxxxxx |
|
In-reply-to: |
<1282810448.12544.3200.camel@xxxxxxxxxxxxxxxxxxxxxx> |
|
List-help: |
<mailto:xen-devel-request@lists.xensource.com?subject=help> |
|
List-id: |
Xen developer discussion <xen-devel.lists.xensource.com> |
|
List-post: |
<mailto:xen-devel@lists.xensource.com> |
|
List-subscribe: |
<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
|
List-unsubscribe: |
<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
|
References: |
<bug-16529-10286@xxxxxxxxxxxxxxxxxxxxxxxxx/> <20100825153107.2f547f0e.akpm@xxxxxxxxxxxxxxxxxxxx> <4C759F8C.9050301@xxxxxxxx> <1282806640.3469.26.camel@xxxxxxxxxxxxxxxxxxxxx> <1282809788.2476.59.camel@edumazet-laptop> <1282810448.12544.3200.camel@xxxxxxxxxxxxxxxxxxxxxx> |
|
Sender: |
xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
Le jeudi 26 août 2010 à 09:14 +0100, Ian Campbell a écrit :
> On Thu, 2010-08-26 at 09:03 +0100, Eric Dumazet wrote:
> > Here is the patch, could you test it please ?
> >
> > Thanks !
> >
> > [PATCH] l2tp: test for malicious frames in l2tp_eth_dev_recv()
> >
> > close https://bugzilla.kernel.org/show_bug.cgi?id=16529
> >
> > Before calling dev_forward_skb(), we should make sure skb contains at
> > least an ethernet header, even if length included in upper layer said
> > so.
>
> Does this imply that there is some problem with xen-netfront setting
> skb->len or skb->data_len or something incorrectly? It's not clear where
> data_len has come from in this context.
data_len is a 16bit field provided in a prior encapsulation header,
provided by user (untrusted source)
Some buggy or malicious software sent an invalid frame,
< encapsulation [len=1000] > < 'runt' eth frame (len<14) >
Another fix would be to change l2tp_recv_dequeue_skb(), and check
L2TP_SKB_CB(skb)->length against skb->len, before calling
(*session->recv_skb)(session, skb, length);
I prefer the one liner patch I sent you, as a minimum fix.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
| |
|
Home