lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 22 Apr 2014 17:31:24 -0400
From:	Jon Maloy <jon.maloy@...csson.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	Erik Hugne <erik.hugne@...csson.com>, <netdev@...r.kernel.org>
Subject: Re: skb_try_coalesce bug?

On 04/22/2014 05:29 PM, Eric Dumazet wrote:
> On Tue, 2014-04-22 at 16:35 -0400, Jon Maloy wrote:
>> On 04/22/2014 04:05 PM, Eric Dumazet wrote:
>>> On Tue, 2014-04-22 at 15:38 -0400, Jon Maloy wrote:
>>>
>>>>
>>>> In the case I encountered, our head buffer is linear (skb->data_len == 0),
>>>> so it is the real tailroom value that is returned. An alas, that one is big
>>>> enough to contain the last (small) fragment of the message.
>>>
>>>
>>> Whole point of skb_try_coalesce() is to coalesce as much as possible,
>>> without guarantee of keeping some sort of 'segments'
>>>
>>> skb_try_coalesce - try to merge skb to prior one
>>>
>>> If you do not want this to happen, (you seem to want nothing else in
>>> your head buffer skb->head), you need to add some logic.
>>
>> Ok. I should have given a little background.
>>
>> 1: We send a message of 3041 bytes, inclusive TIPC header, via loopback interface.
>>
>> 2: This one gets chopped up in three fragments: 1420, 1420,and 201 bytes.
>>    (The mtu was of course wrong, but this is how I discovered the problem).
>>
>> 3: First fragment is received, uncloned, and serves as head.
>>
>> 4;  Second fragment (a clone) is received. skb_try_coalesce() fails at
>>     the skb_head_is_locked() test, because the buffer is a clone.
>>     Because of this, we add the buffer to skb_shinfo(head)->frag_list
>>     instead.
> 
> Then if you do that, you also need to change head->data_len !
> 
>>
>> 5: Third fragment (also a clone) is received. Now, since we check for
>>    space in tailroom of header before we do anything else, it slips
>>    in there, and bypasses the already chained-up second segment.
> 
> Only because you failed to tell the world @head was no longer linear.

Ok. Thank you. Lesson learned.

///jon

> 
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ