 Home |
Products |
Support |
Community |
News |
xen-devel
[Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when
| To: | Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx> |
|---|---|
| Subject: | [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3 |
| From: | Eric Dumazet <eric.dumazet@xxxxxxxxx> |
| Date: | Thu, 26 Aug 2010 11:44:35 +0200 |
| Cc: | Jeremy Fitzhardinge <jeremy@xxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, "netdev@xxxxxxxxxxxxxxx" <netdev@xxxxxxxxxxxxxxx>, "bugzilla-daemon@xxxxxxxxxxxxxxxxxxx" <bugzilla-daemon@xxxxxxxxxxxxxxxxxxx>, James Chapman <jchapman@xxxxxxxxxxx>, Chris Wright <chrisw@xxxxxxxxxxxx>, "bugme-daemon@xxxxxxxxxxxxxxxxxxx" <bugme-daemon@xxxxxxxxxxxxxxxxxxx>, "heil@xxxxxxxxxxxxxxxxxxxxxx" <heil@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, David Miller <davem@xxxxxxxxxxxxx> |
| Delivery-date: | Thu, 26 Aug 2010 10:45:13 -0700 |
| Dkim-signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=Ys1JjzXDwzPCkIlaS8zppq7nIC8CLDVaqvgDom6m/58=; b=MrIuu5053sZCtfs41VJq97iKmjVNOc6omYbQIZI6xZSjP1/N3KT4FZvhoxvpTXMdlj mL1t9NAAkkcgVXkfbjyKbXipEa76iubsBDzDdRXK9WqX8vd+mXgGbuWH/Zwotc72cF3v JQpBe2O9F3mPdDltCu79LtnPo48GDe9oy7aHk= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=cvaffcySS3qfJq8JBVII3AQWbRbaBJZ2n6VefBW53zyFRnhe53rzvs2/xC6MiLytNm I1VXjpS4V5xJo4boqAfdcXqjr9A/bm7wIuxQDYA1eTPukZrmDLGrD0ou+LIM+55D+Xz0 +uPkcpxuooroVM1F6P2hFfOM1kJTby9wLwqrM= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <1282809788.2476.59.camel@edumazet-laptop> |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| References: | <bug-16529-10286@xxxxxxxxxxxxxxxxxxxxxxxxx/> <20100825153107.2f547f0e.akpm@xxxxxxxxxxxxxxxxxxxx> <4C759F8C.9050301@xxxxxxxx> <1282806640.3469.26.camel@xxxxxxxxxxxxxxxxxxxxx> <1282809788.2476.59.camel@edumazet-laptop> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
Le jeudi 26 août 2010 à 10:03 +0200, Eric Dumazet a écrit : > Here is the patch, could you test it please ? > > Thanks ! > > [PATCH] l2tp: test for malicious frames in l2tp_eth_dev_recv() > > close https://bugzilla.kernel.org/show_bug.cgi?id=16529 > > Before calling dev_forward_skb(), we should make sure skb contains at > least an ethernet header, even if length included in upper layer said > so. > > Reported-by: Thomas Heil <heil@xxxxxxxxxxxxxxxxxxxxxx> > Reported-by: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx> > Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx> > --- > net/l2tp/l2tp_core.c | 2 +- > net/l2tp/l2tp_eth.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c > index 58c6c4c..0687c5c 100644 > --- a/net/l2tp/l2tp_eth.c > +++ b/net/l2tp/l2tp_eth.c > @@ -132,7 +132,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session > *session, struct sk_buff *skb, > printk("\n"); > } > > - if (data_len < ETH_HLEN) > + if (skb->len < ETH_HLEN) > goto error; > > secpath_reset(skb); > Hmm, reading this code again, I suspect a much better fix is to make sure 'ethernet header' is in skb head, not in a fragment. Maybe frame is valid but only L2TP encapsulation in skb->header at this point. Thanks ! [PATCH] l2tp: test for ethernet header in l2tp_eth_dev_recv() close https://bugzilla.kernel.org/show_bug.cgi?id=16529 Before calling dev_forward_skb(), we should make sure skb head contains at least an ethernet header, even if length included in upper layer said so. Use pskb_may_pull() to make sure this ethernet header is present in skb head. Reported-by: Thomas Heil <heil@xxxxxxxxxxxxxxxxxxxxxx> Reported-by: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx> Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx> --- net/l2tp/l2tp_eth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c index 58c6c4c..1ae6976 100644 --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -132,7 +132,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, printk("\n"); } - if (data_len < ETH_HLEN) + if (!pskb_may_pull(skb, sizeof(ETH_HLEN))) goto error; secpath_reset(skb); _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel |
| Previous by Date: | [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3, Eric Dumazet |
|---|---|
| Next by Date: | Re: [Xen-devel] Re: xenstored unsafe lock order detected, xlate_proc_name, evtchn_ioctl, port_user_lock, Bruce Edge |
| Previous by Thread: | [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3, Ian Campbell |
| Next by Thread: | [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3, David Miller |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
