lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date:	Thu, 01 May 2008 11:48:19 +0200
From:	Johannes Berg <johannes@...solutions.net>
To:	David Miller <davem@...emloft.net>
Subject: Re: mac80211 truesize bugs


> I looked at the mac80211 code, the problem is the skb_push() you
> guys do in this situation.

Thanks.

> Things like loopback, which also orphan then reinject, don't trigger
> this problem because the re-input path trims things, never adds.
> 
> The good news is that this is easy to fix.
> 
> Since you've orphaned the SKB, simply adjust skb->truesize as you
> do pushes.  Like this:
> 
> mac80211: Adjust truesize in ieee80211_tx_status() when reinjecting.
> 
> Signed-off-by: David S. Miller <davem@...emloft.net>
 
> +	/* This is safe because the buffer has been orphaned.  */
> +	skb->truesize += sizeof(*rthdr);

Hmm. The disconnect between truesize and skb->len+sizeof(*skb) was
usually 17 or 19 bytes and sizeof(*rthdr) is only 11. On the other hand,
I don't see where the other bytes should be coming from. I'll give this
a try, thanks.

johannes

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux