From: Shmulik Ladkani <shmulik.ladkani@gmail.com>
To: Jiri Pirko <jiri@mellanox.com>, "David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Shmulik Ladkani <shmulik.ladkani@gmail.com>
Subject: [PATCH] net: skbuff: Fix length validation in skb_vlan_pop()
Date: Sun, 18 Sep 2016 13:09:18 +0300 [thread overview]
Message-ID: <1474193358-20133-1-git-send-email-shmulik.ladkani@gmail.com> (raw)
In 93515d53b1
"net: move vlan pop/push functions into common code"
skb_vlan_pop was moved from its private location in openvswitch to
skbuff common code.
In case !vlan_tx_tag_present, the original 'pop_vlan()' assured
that skb->len is sufficient for the existence of a vlan_ethhdr
(if skb->len < VLAN_ETH_HLEN then pop was a no-op).
This validation was moved as is into the new common 'skb_vlan_pop'.
Alas, in its original location (openvswitch), there's a guarantee that
'data' points to the mac_header, therefore the 'skb->len < VLAN_ETH_HLEN'
condition made sense.
However there's no such guarantee in the generic 'skb_vlan_pop'.
For short packets received in rx path going through 'skb_vlan_pop',
this causes 'skb_vlan_pop' to fail pop-ing a valid vlan hdr (in case tag
is in payload), or to fail moving next tag into hw-accel tag.
Instead, verify that 'skb->mac_len' is sufficient.
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
---
Spotted by code review while doing work augmenting tc act vlan.
net/core/skbuff.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 1e329d4112..cc2c004838 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4537,7 +4537,7 @@ int skb_vlan_pop(struct sk_buff *skb)
} else {
if (unlikely((skb->protocol != htons(ETH_P_8021Q) &&
skb->protocol != htons(ETH_P_8021AD)) ||
- skb->len < VLAN_ETH_HLEN))
+ skb->mac_len < VLAN_ETH_HLEN))
return 0;
err = __skb_vlan_pop(skb, &vlan_tci);
@@ -4547,7 +4547,7 @@ int skb_vlan_pop(struct sk_buff *skb)
/* move next vlan tag to hw accel tag */
if (likely((skb->protocol != htons(ETH_P_8021Q) &&
skb->protocol != htons(ETH_P_8021AD)) ||
- skb->len < VLAN_ETH_HLEN))
+ skb->mac_len < VLAN_ETH_HLEN))
return 0;
vlan_proto = skb->protocol;
--
2.7.4
next reply other threads:[~2016-09-18 10:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-18 10:09 Shmulik Ladkani [this message]
2016-09-18 20:26 ` [PATCH] net: skbuff: Fix length validation in skb_vlan_pop() pravin shelar
2016-09-19 6:15 ` Shmulik Ladkani
2016-09-19 12:22 ` Daniel Borkmann
2016-09-19 13:05 ` Shmulik Ladkani
2016-09-19 15:20 ` Shmulik Ladkani
2016-09-19 20:04 ` Shmulik Ladkani
2016-09-19 20:46 ` pravin shelar
2016-09-20 4:36 ` Shmulik Ladkani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1474193358-20133-1-git-send-email-shmulik.ladkani@gmail.com \
--to=shmulik.ladkani@gmail.com \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.