| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Mar 2014 12:30:18 +0000
From: Paul Durrant <Paul.Durrant@...rix.com>
To: Ian Campbell <Ian.Campbell@...rix.com>
CC: "xen-devel@...ts.xen.org" <xen-devel@...ts.xen.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Wei Liu <wei.liu2@...rix.com>,
Sander Eikelenboom <linux@...elenboom.it>
Subject: RE: [PATCH net 3/3] xen-netback: BUG_ON in xenvif_rx_action() not
catching overflow
> -----Original Message-----
> From: Ian Campbell
> Sent: 27 March 2014 12:28
> To: Paul Durrant
> Cc: xen-devel@...ts.xen.org; netdev@...r.kernel.org; Wei Liu; Sander
> Eikelenboom
> Subject: Re: [PATCH net 3/3] xen-netback: BUG_ON in xenvif_rx_action()
> not catching overflow
>
> On Thu, 2014-03-27 at 12:23 +0000, Paul Durrant wrote:
> > The BUG_ON to catch ring overflow in xenvif_rx_action() makes the
> assumption
> > that meta_slots_used == ring slots used. This is not the case for GSO
> > packets.
>
> Can you explain why not here please.
>
Sure. I'll add an explanation.
Paul
> > This patch changes the test to actually check ring slots.
> >
> > Signed-off-by: Paul Durrant <paul.durrant@...rix.com>
> > Cc: Ian Campbell <ian.campbell@...rix.com>
> > Cc: Wei Liu <wei.liu2@...rix.com>
> > Cc: Sander Eikelenboom <linux@...elenboom.it>
> > ---
> > drivers/net/xen-netback/netback.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-
> netback/netback.c
> > index ac35489..ae7351f 100644
> > --- a/drivers/net/xen-netback/netback.c
> > +++ b/drivers/net/xen-netback/netback.c
> > @@ -481,6 +481,8 @@ static void xenvif_rx_action(struct xenvif *vif)
> >
> > while ((skb = skb_dequeue(&vif->rx_queue)) != NULL) {
> > RING_IDX max_slots_needed;
> > + RING_IDX old_req_cons;
> > + RING_IDX ring_slots_used;
> > int i;
> >
> > /* We need a cheap worse case estimate for the number of
> > @@ -520,8 +522,12 @@ static void xenvif_rx_action(struct xenvif *vif)
> > vif->rx_last_skb_slots = 0;
> >
> > sco = (struct skb_cb_overlay *)skb->cb;
> > +
> > + old_req_cons = vif->rx.req_cons;
> > sco->meta_slots_used = xenvif_gop_skb(skb, &npo);
> > - BUG_ON(sco->meta_slots_used > max_slots_needed);
> > + ring_slots_used = vif->rx.req_cons - old_req_cons;
> > +
> > + BUG_ON(ring_slots_used > max_slots_needed);
> >
> > __skb_queue_tail(&rxq, skb);
> > }
>
Powered by blists - more mailing lists