| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Oct 2013 08:06:35 +0200
From: Antonio Quartulli <antonio@...hcoding.com>
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH net] netpoll: linearize skb before accessing its data
On Mon, Oct 21, 2013 at 06:23:19PM -0400, David Miller wrote:
> From: Antonio Quartulli <antonio@...hcoding.com>
> Date: Mon, 21 Oct 2013 23:31:20 +0200
>
> > __netpoll_rx() assumes that the data buffer of the received
> > skb is linear and then passes it to rx_hook().
> > However this is not true because the skb has not been
> > linearized yet.
> >
> > This can cause rx_hook() to access non allocated memory
> > while parsing the received data.
> >
> > Fix __netpoll_rx() by explicitly linearising the skb.
> >
> > Signed-off-by: Antonio Quartulli <antonio@...hcoding.com>
>
> It is rx_hook's obligation to access the SKB properly and not
> assume that the SKB is linear. It is very expensive to
> linearize every SKB just for the sake of improperly implemented
> receive hooks.
>
> In particular the rx hooks must make use of interface such
> as pskb_may_pull(), just like every other protocol does
> on packet input processing, to make sure the area they want
> to access is in the linear area.
>
But rx_hook() does not receive any skb:
609 np->rx_hook(np, ntohs(uh->source),
610 (char *)(uh+1),
611 ulen - sizeof(struct udphdr));
it just receives a pointer to the data and can't do anything to make it linear.
(uh is a pointer to the udp header). Am I missing something?
Regards,
--
Antonio Quartulli
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists