Ian Campbell
2009-Jan-14 12:52 UTC
[Xen-devel] [PATCH] gso: Ensure that the packet is long enough
# HG changeset patch
# User Ian Campbell <ian.campbell@citrix.com>
# Date 1231938289 0
# Node ID 2c8bad5afcb2c18c3dc4ece4e308bc99af465ae0
# Parent 762b3109882589dfa69eb694a493a9273bcdf722
gso: Ensure that the packet is long enough
When we get a GSO packet from an untrusted source, we need to
ensure that it is sufficiently long so that we don''t end up
crashing.
Based on discovery and patch by Ian Campbell.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index bd6ff90..12e56ec 100644
diff -r 762b31098825 -r 2c8bad5afcb2 net/ipv4/tcp.c
--- a/net/ipv4/tcp.c Wed Jan 14 13:04:47 2009 +0000
+++ b/net/ipv4/tcp.c Wed Jan 14 13:04:49 2009 +0000
@@ -2153,7 +2153,7 @@ struct sk_buff *tcp_tso_segment(struct s
unsigned int seq;
unsigned int delta;
unsigned int oldlen;
- unsigned int len;
+ unsigned int mss;
if (!pskb_may_pull(skb, sizeof(*th)))
goto out;
@@ -2169,10 +2169,13 @@ struct sk_buff *tcp_tso_segment(struct s
oldlen = (u16)~skb->len;
__skb_pull(skb, thlen);
+ mss = skb_shinfo(skb)->gso_size;
+ if (unlikely(skb->len <= mss))
+ goto out;
+
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
/* Packet is from an untrusted source, reset gso_segs. */
int type = skb_shinfo(skb)->gso_type;
- int mss;
if (unlikely(type &
~(SKB_GSO_TCPV4 |
@@ -2183,7 +2186,6 @@ struct sk_buff *tcp_tso_segment(struct s
!(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
goto out;
- mss = skb_shinfo(skb)->gso_size;
skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
segs = NULL;
@@ -2194,8 +2196,7 @@ struct sk_buff *tcp_tso_segment(struct s
if (IS_ERR(segs))
goto out;
- len = skb_shinfo(skb)->gso_size;
- delta = htonl(oldlen + (thlen + len));
+ delta = htonl(oldlen + (thlen + mss));
skb = segs;
th = skb->h.th;
@@ -2209,7 +2210,7 @@ struct sk_buff *tcp_tso_segment(struct s
th->check = csum_fold(csum_partial(skb->h.raw, thlen,
skb->csum));
- seq += len;
+ seq += mss;
skb = skb->next;
th = skb->h.th;
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Jan Beulich
2009-Jan-14 14:56 UTC
Re: [Xen-devel] [PATCH] gso: Ensure that the packet is long enough
>>> Ian Campbell <ian.campbell@citrix.com> 14.01.09 13:52 >>> >gso: Ensure that the packet is long enough > >When we get a GSO packet from an untrusted source, we need to >ensure that it is sufficiently long so that we don''t end up >crashing. > >Based on discovery and patch by Ian Campbell. > >Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> >Signed-off-by: Ian Campbell <ian.campbell@citrix.com>Is that change being pushed upstream then? Thanks, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Ian Campbell
2009-Jan-14 15:02 UTC
Re: [Xen-devel] [PATCH] gso: Ensure that the packet is long enough
On Wed, 2009-01-14 at 14:56 +0000, Jan Beulich wrote:> >>> Ian Campbell <ian.campbell@citrix.com> 14.01.09 13:52 >>> > >gso: Ensure that the packet is long enough > > > >When we get a GSO packet from an untrusted source, we need to > >ensure that it is sufficiently long so that we don''t end up > >crashing. > > > >Based on discovery and patch by Ian Campbell. > > > >Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > >Signed-off-by: Ian Campbell <ian.campbell@citrix.com> > > Is that change being pushed upstream then?I presumed so, it was proposed on linux-netdev at least, it is being tracked at http://patchwork.ozlabs.org/patch/18346/ Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel