WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [linux-2.6.18-xen] gso: Ensure that the packet is long e

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [linux-2.6.18-xen] gso: Ensure that the packet is long enough
From: "Xen patchbot-linux-2.6.18-xen" <patchbot-linux-2.6.18-xen@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Jan 2009 02:51:07 -0800
Delivery-date: Fri, 16 Jan 2009 02:55:18 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1231941847 0
# Node ID d490aa798cc4efffca3f0dc4bbe41efa9d84e248
# Parent  8081d19dce896687c152a7bacccf2d41c0e4d153
gso: Ensure that the packet is long enough

When we get a GSO packet from an untrusted source, we need to
ensure that it is sufficiently long so that we don't end up
crashing.

Based on discovery and patch by Ian Campbell.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---
 net/ipv4/tcp.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diff -r 8081d19dce89 -r d490aa798cc4 net/ipv4/tcp.c
--- a/net/ipv4/tcp.c    Wed Jan 14 14:03:42 2009 +0000
+++ b/net/ipv4/tcp.c    Wed Jan 14 14:04:07 2009 +0000
@@ -2153,7 +2153,7 @@ struct sk_buff *tcp_tso_segment(struct s
        unsigned int seq;
        unsigned int delta;
        unsigned int oldlen;
-       unsigned int len;
+       unsigned int mss;
 
        if (!pskb_may_pull(skb, sizeof(*th)))
                goto out;
@@ -2169,10 +2169,13 @@ struct sk_buff *tcp_tso_segment(struct s
        oldlen = (u16)~skb->len;
        __skb_pull(skb, thlen);
 
+       mss = skb_shinfo(skb)->gso_size;
+       if (unlikely(skb->len <= mss))
+               goto out;
+
        if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
                /* Packet is from an untrusted source, reset gso_segs. */
                int type = skb_shinfo(skb)->gso_type;
-               int mss;
 
                if (unlikely(type &
                             ~(SKB_GSO_TCPV4 |
@@ -2183,7 +2186,6 @@ struct sk_buff *tcp_tso_segment(struct s
                             !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
                        goto out;
 
-               mss = skb_shinfo(skb)->gso_size;
                skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
 
                segs = NULL;
@@ -2194,8 +2196,7 @@ struct sk_buff *tcp_tso_segment(struct s
        if (IS_ERR(segs))
                goto out;
 
-       len = skb_shinfo(skb)->gso_size;
-       delta = htonl(oldlen + (thlen + len));
+       delta = htonl(oldlen + (thlen + mss));
 
        skb = segs;
        th = skb->h.th;
@@ -2209,7 +2210,7 @@ struct sk_buff *tcp_tso_segment(struct s
                        th->check = csum_fold(csum_partial(skb->h.raw, thlen,
                                                           skb->csum));
 
-               seq += len;
+               seq += mss;
                skb = skb->next;
                th = skb->h.th;
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [linux-2.6.18-xen] gso: Ensure that the packet is long enough, Xen patchbot-linux-2.6.18-xen <=