WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] [PATCH] bridge: don't assume headroom in skb

from [Stephen Hemminger] [Permanent Link][Original]
To: Jae-Wan Jang <jwjang@xxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] [PATCH] bridge: don't assume headroom in skb
From: Stephen Hemminger <shemminger@xxxxxxxx>
Date: Fri, 25 Aug 2006 09:54:47 -0700
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 25 Aug 2006 09:55:28 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <44E40AF7.4030805@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Organization: OSDL
References: <44E40AF7.4030805@xxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
This has already been submitted for stable kernel and upstream
but Xen folks will need it first.

The bridge netfilter code needs to check for space at the
front of the skb before overwriting; otherwise if skb from
device doesn't have headroom, then it will cause random
memory corruption.

Signed-off-by: Stephen Hemminger <shemminger@xxxxxxxx>

--- linux-2.6.17.9.orig/include/linux/netfilter_bridge.h        2006-08-21 
11:39:58.000000000 -0700
+++ linux-2.6.17.9/include/linux/netfilter_bridge.h     2006-08-21 
11:40:26.000000000 -0700
@@ -47,18 +47,26 @@
 #define BRNF_BRIDGED                   0x08
 #define BRNF_NF_BRIDGE_PREROUTING      0x10
 
-
 /* Only used in br_forward.c */
-static inline
-void nf_bridge_maybe_copy_header(struct sk_buff *skb)
+static inline int nf_bridge_maybe_copy_header(struct sk_buff *skb)
 {
+       int err;
+
        if (skb->nf_bridge) {
                if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+                       err = skb_cow(skb, 18);
+                       if (err)
+                               return err;
                        memcpy(skb->data - 18, skb->nf_bridge->data, 18);
                        skb_push(skb, 4);
-               } else
+               } else {
+                       err = skb_cow(skb, 16);
+                       if (err)
+                               return err;
                        memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+               }
        }
+       return 0;
 }
 
 /* This is called by the IP fragmenting code and it ensures there is
--- linux-2.6.17.9.orig/net/bridge/br_forward.c 2006-08-18 09:26:24.000000000 
-0700
+++ linux-2.6.17.9/net/bridge/br_forward.c      2006-08-21 11:40:26.000000000 
-0700
@@ -43,11 +43,15 @@
        else {
 #ifdef CONFIG_BRIDGE_NETFILTER
                /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
-               nf_bridge_maybe_copy_header(skb);
+               if (nf_bridge_maybe_copy_header(skb))
+                       kfree_skb(skb);
+               else
 #endif
-               skb_push(skb, ETH_HLEN);
+               {
+                       skb_push(skb, ETH_HLEN);
 
-               dev_queue_xmit(skb);
+                       dev_queue_xmit(skb);
+               }
        }
 
        return 0;

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] [RFC][BUGFIX][vif-route] vif-route script exits early when deleting vifs, Reiner Sailer
Next by Date:  RE: [Xen-devel] x86-64 machine_to_phys vs NX bit, Nakajima, Jun
Previous by Thread:  [Xen-devel] Machine crashed when using sky2 device., Jae-Wan Jang
Next by Thread:  [Xen-devel] [PATCH]xm dump command add on (TAKE 3), Ken Hironaka
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy