* [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
@ 2009-11-12 13:09 ` Ben McKeegan
0 siblings, 0 replies; 8+ messages in thread
From: Ben McKeegan @ 2009-11-12 13:09 UTC (permalink / raw)
To: davem, paulus, netdev, linux-ppp
PPP does not correctly call pskb_may_pull() on all necessary receive paths
before reading the PPP protocol, thus causing PPP to report seemingly
random 'unsupported protocols' and eventually trigger BUG_ON(skb->len <
skb->data_len) in skb_pull_rcsum() when receiving multilink protocol in
non-linear skbs.
ppp_receive_nonmp_frame() does not call pskb_may_pull() before reading the
protocol number. For the non-mp receive path this is not a problem, as
this check is done in ppp_receive_frame(). For the mp receive path,
ppp_mp_reconstruct() usually copies the data into a new linear skb.
However, in the case where the frame is made up of a single mp fragment,
the mp header is pulled and the existing skb used. This skb was then
passed to ppp_receive_nonmp_frame() without checking if the encapsulated
protocol header can safely be read.
Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
---
This a long standing bug we have observed with PPP over L2TP received on
an e1000e interface, although it may arise with other PPP encapsulations
or devices.
diff -uprN linux-2.6.31.6/drivers/net/ppp_generic.c linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c
--- linux-2.6.31.6/drivers/net/ppp_generic.c 2009-11-10 00:32:31.000000000 +0000
+++ linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c 2009-11-12 11:58:40.000000000 +0000
@@ -1944,7 +1944,13 @@ ppp_receive_mp_frame(struct ppp *ppp, st
/* Pull completed packets off the queue and receive them. */
while ((skb = ppp_mp_reconstruct(ppp)))
- ppp_receive_nonmp_frame(ppp, skb);
+ if (pskb_may_pull(skb, 2))
+ ppp_receive_nonmp_frame(ppp, skb);
+ else {
+ ++ppp->dev->stats.rx_length_errors;
+ kfree_skb(skb);
+ ppp_receive_error(ppp);
+ }
return;
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
@ 2009-11-12 13:09 ` Ben McKeegan
0 siblings, 0 replies; 8+ messages in thread
From: Ben McKeegan @ 2009-11-12 13:09 UTC (permalink / raw)
To: davem, paulus, netdev, linux-ppp
PPP does not correctly call pskb_may_pull() on all necessary receive paths
before reading the PPP protocol, thus causing PPP to report seemingly
random 'unsupported protocols' and eventually trigger BUG_ON(skb->len <
skb->data_len) in skb_pull_rcsum() when receiving multilink protocol in
non-linear skbs.
ppp_receive_nonmp_frame() does not call pskb_may_pull() before reading the
protocol number. For the non-mp receive path this is not a problem, as
this check is done in ppp_receive_frame(). For the mp receive path,
ppp_mp_reconstruct() usually copies the data into a new linear skb.
However, in the case where the frame is made up of a single mp fragment,
the mp header is pulled and the existing skb used. This skb was then
passed to ppp_receive_nonmp_frame() without checking if the encapsulated
protocol header can safely be read.
Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
---
This a long standing bug we have observed with PPP over L2TP received on
an e1000e interface, although it may arise with other PPP encapsulations
or devices.
diff -uprN linux-2.6.31.6/drivers/net/ppp_generic.c linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c
--- linux-2.6.31.6/drivers/net/ppp_generic.c 2009-11-10 00:32:31.000000000 +0000
+++ linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c 2009-11-12 11:58:40.000000000 +0000
@@ -1944,7 +1944,13 @@ ppp_receive_mp_frame(struct ppp *ppp, st
/* Pull completed packets off the queue and receive them. */
while ((skb = ppp_mp_reconstruct(ppp)))
- ppp_receive_nonmp_frame(ppp, skb);
+ if (pskb_may_pull(skb, 2))
+ ppp_receive_nonmp_frame(ppp, skb);
+ else {
+ ++ppp->dev->stats.rx_length_errors;
+ kfree_skb(skb);
+ ppp_receive_error(ppp);
+ }
return;
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
2009-11-12 13:09 ` Ben McKeegan
@ 2009-11-14 3:46 ` David Miller
-1 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2009-11-14 3:46 UTC (permalink / raw)
To: ben; +Cc: paulus, netdev, linux-ppp
From: Ben McKeegan <ben@netservers.co.uk>
Date: Thu, 12 Nov 2009 13:09:57 +0000 (GMT)
> @@ -1944,7 +1944,13 @@ ppp_receive_mp_frame(struct ppp *ppp, st
>
> /* Pull completed packets off the queue and receive them. */
> while ((skb = ppp_mp_reconstruct(ppp)))
> - ppp_receive_nonmp_frame(ppp, skb);
> + if (pskb_may_pull(skb, 2))
> + ppp_receive_nonmp_frame(ppp, skb);
> + else {
> + ++ppp->dev->stats.rx_length_errors;
> + kfree_skb(skb);
> + ppp_receive_error(ppp);
> + }
>
> return;
This fix looks correct, but could you please enclose the while()
loop in braces, that dangling else and the subsequent "return;"
statement look confusing otherwise.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
@ 2009-11-14 3:46 ` David Miller
0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2009-11-14 3:46 UTC (permalink / raw)
To: ben; +Cc: paulus, netdev, linux-ppp
From: Ben McKeegan <ben@netservers.co.uk>
Date: Thu, 12 Nov 2009 13:09:57 +0000 (GMT)
> @@ -1944,7 +1944,13 @@ ppp_receive_mp_frame(struct ppp *ppp, st
>
> /* Pull completed packets off the queue and receive them. */
> while ((skb = ppp_mp_reconstruct(ppp)))
> - ppp_receive_nonmp_frame(ppp, skb);
> + if (pskb_may_pull(skb, 2))
> + ppp_receive_nonmp_frame(ppp, skb);
> + else {
> + ++ppp->dev->stats.rx_length_errors;
> + kfree_skb(skb);
> + ppp_receive_error(ppp);
> + }
>
> return;
This fix looks correct, but could you please enclose the while()
loop in braces, that dangling else and the subsequent "return;"
statement look confusing otherwise.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
2009-11-14 3:46 ` David Miller
@ 2009-11-16 13:44 ` Ben McKeegan
-1 siblings, 0 replies; 8+ messages in thread
From: Ben McKeegan @ 2009-11-16 13:44 UTC (permalink / raw)
To: David Miller; +Cc: paulus, netdev, linux-ppp
PPP does not correctly call pskb_may_pull() on all necessary receive paths
before reading the PPP protocol, thus causing PPP to report seemingly
random 'unsupported protocols' and eventually trigger BUG_ON(skb->len <
skb->data_len) in skb_pull_rcsum() when receiving multilink protocol in
non-linear skbs.
ppp_receive_nonmp_frame() does not call pskb_may_pull() before reading the
protocol number. For the non-mp receive path this is not a problem, as
this check is done in ppp_receive_frame(). For the mp receive path,
ppp_mp_reconstruct() usually copies the data into a new linear skb.
However, in the case where the frame is made up of a single mp fragment,
the mp header is pulled and the existing skb used. This skb was then
passed to ppp_receive_nonmp_frame() without checking if the encapsulated
protocol header could safely be read.
Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
---
diff -uprN linux-2.6.31.6/drivers/net/ppp_generic.c linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c
--- linux-2.6.31.6/drivers/net/ppp_generic.c 2009-11-10 00:32:31.000000000 +0000
+++ linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c 2009-11-16 13:14:22.000000000 +0000
@@ -1943,8 +1943,15 @@ ppp_receive_mp_frame(struct ppp *ppp, st
}
/* Pull completed packets off the queue and receive them. */
- while ((skb = ppp_mp_reconstruct(ppp)))
- ppp_receive_nonmp_frame(ppp, skb);
+ while ((skb = ppp_mp_reconstruct(ppp))) {
+ if (pskb_may_pull(skb, 2))
+ ppp_receive_nonmp_frame(ppp, skb);
+ else {
+ ++ppp->dev->stats.rx_length_errors;
+ kfree_skb(skb);
+ ppp_receive_error(ppp);
+ }
+ }
return;
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
@ 2009-11-16 13:44 ` Ben McKeegan
0 siblings, 0 replies; 8+ messages in thread
From: Ben McKeegan @ 2009-11-16 13:44 UTC (permalink / raw)
To: David Miller; +Cc: paulus, netdev, linux-ppp
PPP does not correctly call pskb_may_pull() on all necessary receive paths
before reading the PPP protocol, thus causing PPP to report seemingly
random 'unsupported protocols' and eventually trigger BUG_ON(skb->len <
skb->data_len) in skb_pull_rcsum() when receiving multilink protocol in
non-linear skbs.
ppp_receive_nonmp_frame() does not call pskb_may_pull() before reading the
protocol number. For the non-mp receive path this is not a problem, as
this check is done in ppp_receive_frame(). For the mp receive path,
ppp_mp_reconstruct() usually copies the data into a new linear skb.
However, in the case where the frame is made up of a single mp fragment,
the mp header is pulled and the existing skb used. This skb was then
passed to ppp_receive_nonmp_frame() without checking if the encapsulated
protocol header could safely be read.
Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
---
diff -uprN linux-2.6.31.6/drivers/net/ppp_generic.c linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c
--- linux-2.6.31.6/drivers/net/ppp_generic.c 2009-11-10 00:32:31.000000000 +0000
+++ linux-2.6.31.6-ppp-non-linear-skb/drivers/net/ppp_generic.c 2009-11-16 13:14:22.000000000 +0000
@@ -1943,8 +1943,15 @@ ppp_receive_mp_frame(struct ppp *ppp, st
}
/* Pull completed packets off the queue and receive them. */
- while ((skb = ppp_mp_reconstruct(ppp)))
- ppp_receive_nonmp_frame(ppp, skb);
+ while ((skb = ppp_mp_reconstruct(ppp))) {
+ if (pskb_may_pull(skb, 2))
+ ppp_receive_nonmp_frame(ppp, skb);
+ else {
+ ++ppp->dev->stats.rx_length_errors;
+ kfree_skb(skb);
+ ppp_receive_error(ppp);
+ }
+ }
return;
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
2009-11-16 13:44 ` Ben McKeegan
@ 2009-11-17 7:52 ` David Miller
-1 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2009-11-17 7:52 UTC (permalink / raw)
To: ben; +Cc: paulus, netdev, linux-ppp
From: Ben McKeegan <ben@netservers.co.uk>
Date: Mon, 16 Nov 2009 13:44:25 +0000 (GMT)
> PPP does not correctly call pskb_may_pull() on all necessary receive paths
> before reading the PPP protocol, thus causing PPP to report seemingly
> random 'unsupported protocols' and eventually trigger BUG_ON(skb->len <
> skb->data_len) in skb_pull_rcsum() when receiving multilink protocol in
> non-linear skbs.
>
> ppp_receive_nonmp_frame() does not call pskb_may_pull() before reading the
> protocol number. For the non-mp receive path this is not a problem, as
> this check is done in ppp_receive_frame(). For the mp receive path,
> ppp_mp_reconstruct() usually copies the data into a new linear skb.
> However, in the case where the frame is made up of a single mp fragment,
> the mp header is pulled and the existing skb used. This skb was then
> passed to ppp_receive_nonmp_frame() without checking if the encapsulated
> protocol header could safely be read.
>
> Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
Applied but:
> + while ((skb = ppp_mp_reconstruct(ppp))) {
> + if (pskb_may_pull(skb, 2))
There is a mix of space and tab characters leading up to
the "if (pskb_may_pull" there, I fixed it up but please
take care of such trivial issues before submitting your
patch next time.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ppp: fix BUG on non-linear SKB (multilink receive)
@ 2009-11-17 7:52 ` David Miller
0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2009-11-17 7:52 UTC (permalink / raw)
To: ben; +Cc: paulus, netdev, linux-ppp
From: Ben McKeegan <ben@netservers.co.uk>
Date: Mon, 16 Nov 2009 13:44:25 +0000 (GMT)
> PPP does not correctly call pskb_may_pull() on all necessary receive paths
> before reading the PPP protocol, thus causing PPP to report seemingly
> random 'unsupported protocols' and eventually trigger BUG_ON(skb->len <
> skb->data_len) in skb_pull_rcsum() when receiving multilink protocol in
> non-linear skbs.
>
> ppp_receive_nonmp_frame() does not call pskb_may_pull() before reading the
> protocol number. For the non-mp receive path this is not a problem, as
> this check is done in ppp_receive_frame(). For the mp receive path,
> ppp_mp_reconstruct() usually copies the data into a new linear skb.
> However, in the case where the frame is made up of a single mp fragment,
> the mp header is pulled and the existing skb used. This skb was then
> passed to ppp_receive_nonmp_frame() without checking if the encapsulated
> protocol header could safely be read.
>
> Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
Applied but:
> + while ((skb = ppp_mp_reconstruct(ppp))) {
> + if (pskb_may_pull(skb, 2))
There is a mix of space and tab characters leading up to
the "if (pskb_may_pull" there, I fixed it up but please
take care of such trivial issues before submitting your
patch next time.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2009-11-17 7:52 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-11-12 13:09 [PATCH] ppp: fix BUG on non-linear SKB (multilink receive) Ben McKeegan
2009-11-12 13:09 ` Ben McKeegan
2009-11-14 3:46 ` David Miller
2009-11-14 3:46 ` David Miller
2009-11-16 13:44 ` Ben McKeegan
2009-11-16 13:44 ` Ben McKeegan
2009-11-17 7:52 ` David Miller
2009-11-17 7:52 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.