lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 16 Apr 2015 15:15:11 +1000
From:	David Gibson <david@...son.dropbear.id.au>
To:	Thomas Falcon <tlfalcon@...ux.vnet.ibm.com>
Cc:	anton@....ibm.com, benh@...nel.crashing.org,
	michael@...erman.id.au, linux-kernel@...r.kernel.org,
	linuxppc-dev@...r.kernel.org
Subject: Re: [PATCH] ibmveth: Fix off-by-one error in ibmveth_change_mtu()

On Tue, Apr 14, 2015 at 10:33:18AM -0500, Thomas Falcon wrote:
> On 04/13/2015 12:39 AM, David Gibson wrote:
> > AFAIK the PAPR document which defines the virtual device interface used by
> > the ibmveth driver doesn't specify a specific maximum MTU.  So, in the
> > ibmveth driver, the maximum allowed MTU is determined by the maximum
> > allocated buffer size of 64k (corresponding to one page in the common case)
> > minus the per-buffer overhead IBMVETH_BUFF_OH (which has value 22 for 14
> > bytes of ethernet header, plus 8 bytes for an opaque handle).
> >
> > This suggests a maximum allowable MTU of 65514 bytes, but in fact the
> > driver only permits a maximum MTU of 65513.  This is because there is a <
> > instead of an <= in ibmveth_change_mtu(), which only permits an MTU which
> > is strictly smaller than the buffer size, rather than allowing the buffer
> > to be completely filled.
> >
> > This patch fixes the buglet.
> 
> 
> The same expression is made using < just a few lines above.  Shouldn't this be changed to <= too?
> 
> @@ -1238,7 +1238,7 @@ static int ibmveth_change_mtu(struct net_device *dev, int new_mtu)
>                 return -EINVAL;
>  
>         for (i = 0; i < IBMVETH_NUM_BUFF_POOLS; i++)
> -               if (new_mtu_oh < adapter->rx_buff_pool[i].buff_size)
> +               if (new_mtu_oh <= adapter->rx_buff_pool[i].buff_size)
>                         break;
>  
>         if (i == IBMVETH_NUM_BUFF_POOLS)

Yes, yes it should.

Good catch, thanks.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ