lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 05 Sep 2010 19:43:55 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Changli Gao <xiaosuo@...il.com>
Cc:	"David S. Miller" <davem@...emloft.net>,
	Linux Netdev List <netdev@...r.kernel.org>
Subject: Re: net: af_packet: skb_orphan should be avoided in TX path.

Le lundi 06 septembre 2010 à 01:18 +0800, Changli Gao a écrit :
> af_packet uses tpacket_destruct_skb() to notify its user a frame is
> sent out through NIC, and the memory for that frame is available for
> the others. If the driver calls skb_orphan() before the frame is sent
> out successfully, and the user may fill other data into the space for
> this frame, this frame will be corrupted. It became more likely after
> skb_try_orphan() was added into dev_hard_start_xmit().
> 
> Am I correct?
> 

Yes good catch. We might add a :

SKBTX_NO_EARLY_ORPHAN = 1 << 4,

so that skb_orphan_try() do not early orphan this kind of skb


diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index f900ffc..9c1a480 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -176,6 +176,9 @@ enum {
 
 	/* ensure the originating sk reference is available on driver level */
 	SKBTX_DRV_NEEDS_SK_REF = 1 << 3,
+
+	/* dont early orphan this skb in skb_orphan_try() */
+	SKBTX_NO_EARLY_ORPHAN = 1 << 4,
 };
 
 /* This data is invariant across clones and lives at
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 3616f27..306795d 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1029,6 +1029,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 		}
 
 		skb->destructor = tpacket_destruct_skb;
+		skb_shinfo(skb)->tx_flags |= SKBTX_NO_EARLY_ORPHAN;
 		__packet_set_status(po, ph, TP_STATUS_SENDING);
 		atomic_inc(&po->tx_ring.pending);
 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists