From mboxrd@z Thu Jan 1 00:00:00 1970 From: Saeed Mahameed Subject: Re: [Patch net] mlx5: check for malformed packets Date: Tue, 4 Dec 2018 11:32:48 -0800 Message-ID: References: <20181201203837.3306-1-xiyou.wangcong@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Cc: Linux Netdev List , Tariq Toukan , Saeed Mahameed To: Cong Wang Return-path: Received: from mail-lj1-f174.google.com ([209.85.208.174]:43058 "EHLO mail-lj1-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725831AbeLDTdB (ORCPT ); Tue, 4 Dec 2018 14:33:01 -0500 Received: by mail-lj1-f174.google.com with SMTP id 83-v6so16018790ljf.10 for ; Tue, 04 Dec 2018 11:33:00 -0800 (PST) In-Reply-To: <20181201203837.3306-1-xiyou.wangcong@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: On Sat, Dec 1, 2018 at 12:38 PM Cong Wang wrote: > > is_last_ethertype_ip() is used to check IP/IPv6 protocol before > parsing IP/IPv6 headers. > > But __vlan_get_protocol() is only bound to skb->len, a malicious > packet could exhaust all skb->len by inserting sufficient ETH_P_8021AD > headers, and it may not even contain an IP/IPv6 header at all, so we > have to check if we are still safe to continue to parse IP/IPv6 header. > If not, treat it as non-IP packet. > > This should not cause any crash as we stil have tail room in skb, > but we can't just rely on it either. Hi Cong, is this reproducible or just a theory ? which part of the code you think will cause the invalid access or crash ? do you have steps to reproduce this? I would like to investigate this myself, it will take a couple of days if that's ok with you .. Thanks, Saeed.