lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 4 Jul 2018 17:01:22 +0100
From:   Edward Cree <ecree@...arflare.com>
To:     <davem@...emloft.net>
CC:     <netdev@...r.kernel.org>
Subject: Re: [PATCH v4 net-next 7/9] net: ipv4: listified version of ip_rcv

On 02/07/18 16:14, Edward Cree wrote:
> +/* Receive a list of IP packets */
> +void ip_list_rcv(struct list_head *head, struct packet_type *pt,
> +		 struct net_device *orig_dev)
> +{
> +	struct net_device *curr_dev = NULL;
> +	struct net *curr_net = NULL;
> +	struct sk_buff *skb, *next;
> +	struct list_head sublist;
> +
> +	list_for_each_entry_safe(skb, next, head, list) {
> +		struct net_device *dev = skb->dev;
> +		struct net *net = dev_net(dev);
> +
> +		skb = ip_rcv_core(skb, net);
> +		if (skb == NULL)
> +			continue;
I've spotted a bug here, in that if ip_rcv_core() eats the skb (e.g. by
 freeing it) it won't list_del() it, so when we process the sublist we'll
 end up trying to process this skb anyway.
Thus, places where an skb could get freed (possibly remotely, as in nf
 hooks that can steal packets) need to use the dequeue/enqueue model
 rather than the list_cut_before() approach.
Followup patches soon.

-Ed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ