lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Aug 2010 11:44:35 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Ian Campbell <Ian.Campbell@...citrix.com> Cc: David Miller <davem@...emloft.net>, Jeremy Fitzhardinge <jeremy@...p.org>, Andrew Morton <akpm@...ux-foundation.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Chris Wright <chrisw@...s-sol.org>, "bugzilla-daemon@...zilla.kernel.org" <bugzilla-daemon@...zilla.kernel.org>, "bugme-daemon@...zilla.kernel.org" <bugme-daemon@...zilla.kernel.org>, James Chapman <jchapman@...alix.com>, "heil@...minal-consulting.de" <heil@...minal-consulting.de>, "Xen-devel@...ts.xensource.com" <Xen-devel@...ts.xensource.com> Subject: Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3 Le jeudi 26 août 2010 à 10:03 +0200, Eric Dumazet a écrit : > Here is the patch, could you test it please ? > > Thanks ! > > [PATCH] l2tp: test for malicious frames in l2tp_eth_dev_recv() > > close https://bugzilla.kernel.org/show_bug.cgi?id=16529 > > Before calling dev_forward_skb(), we should make sure skb contains at > least an ethernet header, even if length included in upper layer said > so. > > Reported-by: Thomas Heil <heil@...minal-consulting.de> > Reported-by: Ian Campbell <Ian.Campbell@...citrix.com> > Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> > --- > net/l2tp/l2tp_core.c | 2 +- > net/l2tp/l2tp_eth.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c > index 58c6c4c..0687c5c 100644 > --- a/net/l2tp/l2tp_eth.c > +++ b/net/l2tp/l2tp_eth.c > @@ -132,7 +132,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, > printk("\n"); > } > > - if (data_len < ETH_HLEN) > + if (skb->len < ETH_HLEN) > goto error; > > secpath_reset(skb); > Hmm, reading this code again, I suspect a much better fix is to make sure 'ethernet header' is in skb head, not in a fragment. Maybe frame is valid but only L2TP encapsulation in skb->header at this point. Thanks ! [PATCH] l2tp: test for ethernet header in l2tp_eth_dev_recv() close https://bugzilla.kernel.org/show_bug.cgi?id=16529 Before calling dev_forward_skb(), we should make sure skb head contains at least an ethernet header, even if length included in upper layer said so. Use pskb_may_pull() to make sure this ethernet header is present in skb head. Reported-by: Thomas Heil <heil@...minal-consulting.de> Reported-by: Ian Campbell <Ian.Campbell@...citrix.com> Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> --- net/l2tp/l2tp_eth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c index 58c6c4c..1ae6976 100644 --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -132,7 +132,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, printk("\n"); } - if (data_len < ETH_HLEN) + if (!pskb_may_pull(skb, sizeof(ETH_HLEN))) goto error; secpath_reset(skb); -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists