| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100802110427.GA9494@gondor.apana.org.au> Date: Mon, 2 Aug 2010 19:04:27 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: Jarek Poplawski <jarkao2@...il.com> Cc: Xin Xiaohui <xiaohui.xin@...el.com>, netdev@...r.kernel.org, davem@...emloft.net Subject: Re: Is it a possible bug in dev_gro_receive()? On Mon, Aug 02, 2010 at 10:29:06AM +0000, Jarek Poplawski wrote: > Xin Xiaohui wrote: > > I looked into the code dev_gro_receive(), found the code here: > > if the frags[0] is pulled to 0, then the page will be released, > > and memmove() frags left. > > Is that right? I'm not sure if memmove do right or not, but > > frags[0].size is never set after memove at least. what I think > > a simple way is not to do anything if we found frags[0].size == 0. > > The patch is as followed. > > > > Or am I missing something here? > > I think, you're right, but fixing memmove looks nicer to me: > > - --skb_shinfo(skb)->nr_frags); > + --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t)); I agree with the diagnosis and your proposed fix. Thanks for catching this Xiaohui! Cheers, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists