* [PATCH net 0/4] gtp: fix several bugs in gtp module
@ 2019-12-11 8:22 Taehee Yoo
2019-12-15 1:21 ` Jakub Kicinski
0 siblings, 1 reply; 2+ messages in thread
From: Taehee Yoo @ 2019-12-11 8:22 UTC (permalink / raw)
To: davem, pablo, laforge, osmocom-net-gprs, netdev; +Cc: ap420073
This patchset fixes several bugs in the GTP module.
1. Do not allow adding duplicate TID and ms_addr pdp context.
In the current code, duplicate TID and ms_addr pdp context could be added.
So, RX and TX path could find correct pdp context.
2. Fix wrong condition in ->dumpit() callback.
->dumpit() callback is re-called if dump packet size is too big.
So, before return, it saves last position and then restart from
last dump position.
TID value is used to find last dump position.
GTP module allows adding zero TID value. But ->dumpit() callback ignores
zero TID value.
So, dump would not work correctly if dump packet size too big.
3. Fix use-after-free in ipv4_pdp_find().
RX and TX patch always uses gtp->tid_hash and gtp->addr_hash.
but while packet processing, these hash pointer would be freed.
So, use-after-free would occur.
4. Fix panic because of zero size hashtable
GTP hashtable size could be set by user-space.
If hashsize is set to 0, hashtable will not work and panic will occur.
Taehee Yoo (4):
gtp: do not allow adding duplicate tid and ms_addr pdp context
gtp: fix wrong condition in gtp_genl_dump_pdp()
gtp: fix an use-after-free in ipv4_pdp_find()
gtp: avoid zero size hashtable
drivers/net/gtp.c | 109 +++++++++++++++++++++++++++-------------------
1 file changed, 63 insertions(+), 46 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH net 0/4] gtp: fix several bugs in gtp module
2019-12-11 8:22 [PATCH net 0/4] gtp: fix several bugs in gtp module Taehee Yoo
@ 2019-12-15 1:21 ` Jakub Kicinski
0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2019-12-15 1:21 UTC (permalink / raw)
To: Taehee Yoo; +Cc: davem, pablo, laforge, osmocom-net-gprs, netdev
On Wed, 11 Dec 2019 08:22:43 +0000, Taehee Yoo wrote:
> This patchset fixes several bugs in the GTP module.
>
> 1. Do not allow adding duplicate TID and ms_addr pdp context.
> In the current code, duplicate TID and ms_addr pdp context could be added.
> So, RX and TX path could find correct pdp context.
>
> 2. Fix wrong condition in ->dumpit() callback.
> ->dumpit() callback is re-called if dump packet size is too big.
> So, before return, it saves last position and then restart from
> last dump position.
> TID value is used to find last dump position.
> GTP module allows adding zero TID value. But ->dumpit() callback ignores
> zero TID value.
> So, dump would not work correctly if dump packet size too big.
>
> 3. Fix use-after-free in ipv4_pdp_find().
> RX and TX patch always uses gtp->tid_hash and gtp->addr_hash.
> but while packet processing, these hash pointer would be freed.
> So, use-after-free would occur.
>
> 4. Fix panic because of zero size hashtable
> GTP hashtable size could be set by user-space.
> If hashsize is set to 0, hashtable will not work and panic will occur.
Looks good to me, thank you, applied and queued for stable.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-12-15 1:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-11 8:22 [PATCH net 0/4] gtp: fix several bugs in gtp module Taehee Yoo
2019-12-15 1:21 ` Jakub Kicinski
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.