From: wenxu <wenxu-t3UIVg6hrfr/PtFMR13I2A@public.gmane.org>
To: pshelar-l0M0P4e3n4LQT0dZR+AlfA@public.gmane.org,
davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org,
jesse-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Cc: dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
wenxu-t3UIVg6hrfr/PtFMR13I2A@public.gmane.org
Subject: [PATCH] [stable 4.1.y PACTH] openvswitch: fix crash cause by non-nvgre packet
Date: Tue, 22 Dec 2015 17:15:59 +0800 [thread overview]
Message-ID: <1450775759-11059-1-git-send-email-wenxu@ucloud.cn> (raw)
kernel BUG at include/linux/skbuff.h:1219!
invalid opcode: 0000 [#1] SMP
RIP: 0010:[<ffffffffa01dc89d>] ovs_flow_extract+0x8ed/0xa40 [openvswitch]
Call Trace:
<IRQ>
ovs_dp_process_received_packet+0x44/0x80 [openvswitch]
ovs_vport_receive+0x2e/0x30 [openvswitch]
gre_rcv+0xac/0xd0 [openvswitch]
gre_cisco_rcv+0x1c2/0x310 [openvswitch]
gre_rcv+0x59/0x80 [openvswitch]
ovs_flow_extract call __skb_pull to lead BUG_ON(skb->len < skb->data_len)
if the gre header protocol is not TEB and most part of the packet is in
the nolinear-spatial.
1. gre_rcv: pskb_may_pull(skb, 12)
pull the 12 bytes to linear-spatial(skb->data). The gre header is 8 bytes
only with key.
2. gre_cisco_rcv-->parse_gre_header-->iptunnel_pull_header
{
if (inner_proto == htons(ETH_P_TEB)) {
struct ethhdr *eh;
if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
return -ENOMEM;
......
}
}
The wrong inner_proto leads no pull the Mac header to linear-spatial
3. finally It made a crash in ovs_flow_extract->__skb_pull
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/openvswitch/vport-gre.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index f17ac96..4a993b5 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -107,6 +107,9 @@ static int gre_rcv(struct sk_buff *skb,
if (unlikely(!vport))
return PACKET_REJECT;
+ if (unlikely(tpi->proto != htons(ETH_P_TEB)))
+ return PACKET_REJECT;
+
key = key_to_tunnel_id(tpi->key, tpi->seq);
ovs_flow_tun_info_init(&tun_info, ip_hdr(skb), 0, 0, key,
filter_tnl_flags(tpi->flags), NULL, 0);
--
1.9.1
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
reply other threads:[~2015-12-22 9:15 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450775759-11059-1-git-send-email-wenxu@ucloud.cn \
--to=wenxu-t3uivg6hrfr/ptfmr13i2a@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org \
--cc=jesse-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=pshelar-l0M0P4e3n4LQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).