From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wei Liu Subject: [PATCH] xen-netfront: drop skb when skb->len > 65535 Date: Fri, 1 Mar 2013 16:31:28 +0000 Message-ID: <1362155488-24316-1-git-send-email-wei.liu2@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org Cc: ij@2013.bluespice.org, ian.campbell@citrix.com, konrad.wilk@citrix.com, npegg@linode.com, annie.li@oracle.com, jbeulich@suse.com, Wei Liu List-Id: xen-devel@lists.xenproject.org The `size' field of Xen network wired format is uint16_t, anything bigger than 65535 will cause overflow. The punishment introduced by XSA-39 is quite harsh - DomU is disconnected when it's discovered to be sending corrupted skbs. However, it looks like Linux kernel will generate some bad skbs sometimes, so drop those skbs before sending to over netback to avoid being disconnected. Signed-off-by: Wei Liu --- drivers/net/xen-netfront.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index 5527663..284059b 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -547,6 +547,18 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev) unsigned int len = skb_headlen(skb); unsigned long flags; + /* + * wired format of xen_netif_tx_request only supports skb->len + * < 64K, because size field in xen_netif_tx_request is + * uint16_t. + */ + if (unlikely(skb->len > (uint16_t)(~((uint16_t)0)))) { + net_alert_ratelimited( + "xennet: skb->len = %d, too big for wired format\n", + skb->len); + goto drop; + } + slots = DIV_ROUND_UP(offset + len, PAGE_SIZE) + xennet_count_skb_frag_slots(skb); if (unlikely(slots > MAX_SKB_FRAGS + 1)) { -- 1.7.10.4