| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Apr 2015 10:33:18 -0500
From: Thomas Falcon <tlfalcon@...ux.vnet.ibm.com>
To: David Gibson <david@...son.dropbear.id.au>, anton@....ibm.com,
benh@...nel.crashing.org, michael@...erman.id.au
CC: linux-kernel@...r.kernel.org, linuxppc-dev@...r.kernel.org
Subject: Re: [PATCH] ibmveth: Fix off-by-one error in ibmveth_change_mtu()
On 04/13/2015 12:39 AM, David Gibson wrote:
> AFAIK the PAPR document which defines the virtual device interface used by
> the ibmveth driver doesn't specify a specific maximum MTU. So, in the
> ibmveth driver, the maximum allowed MTU is determined by the maximum
> allocated buffer size of 64k (corresponding to one page in the common case)
> minus the per-buffer overhead IBMVETH_BUFF_OH (which has value 22 for 14
> bytes of ethernet header, plus 8 bytes for an opaque handle).
>
> This suggests a maximum allowable MTU of 65514 bytes, but in fact the
> driver only permits a maximum MTU of 65513. This is because there is a <
> instead of an <= in ibmveth_change_mtu(), which only permits an MTU which
> is strictly smaller than the buffer size, rather than allowing the buffer
> to be completely filled.
>
> This patch fixes the buglet.
The same expression is made using < just a few lines above. Shouldn't this be changed to <= too?
@@ -1238,7 +1238,7 @@ static int ibmveth_change_mtu(struct net_device *dev, int new_mtu)
return -EINVAL;
for (i = 0; i < IBMVETH_NUM_BUFF_POOLS; i++)
- if (new_mtu_oh < adapter->rx_buff_pool[i].buff_size)
+ if (new_mtu_oh <= adapter->rx_buff_pool[i].buff_size)
break;
if (i == IBMVETH_NUM_BUFF_POOLS)
Thanks,
Tom
> Signed-off-by: David Gibson <david@...son.dropbear.id.au>
> ---
> drivers/net/ethernet/ibm/ibmveth.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
> index cd7675a..3aa280a 100644
> --- a/drivers/net/ethernet/ibm/ibmveth.c
> +++ b/drivers/net/ethernet/ibm/ibmveth.c
> @@ -1257,7 +1257,7 @@ static int ibmveth_change_mtu(struct net_device *dev, int new_mtu)
> for (i = 0; i < IBMVETH_NUM_BUFF_POOLS; i++) {
> adapter->rx_buff_pool[i].active = 1;
>
> - if (new_mtu_oh < adapter->rx_buff_pool[i].buff_size) {
> + if (new_mtu_oh <= adapter->rx_buff_pool[i].buff_size) {
> dev->mtu = new_mtu;
> vio_cmo_set_dev_desired(viodev,
> ibmveth_get_desired_dma
--
Tom Falcon
Software Engineer
IBM LTC Austin
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists