[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACKFLim91WB__vrki_MtpZ5Evg7aDcV=ojgOMPPufVc2syJHOA@mail.gmail.com>
Date: Sun, 20 Jan 2019 14:26:57 -0800
From: Michael Chan <michael.chan@...adcom.com>
To: Netdev <netdev@...r.kernel.org>, David Miller <davem@...emloft.net>
Subject: Stack sends oversize UDP packet to the driver
I've received a bug report of oversized UDP packets sent to the
bnxt_en driver for transmission. There is no check for illegal length
in the driver and it will send a corrupted BD to the NIC if the
non-TSO length exceeds the maximum MTU supported by the driver. This
ultimately causes the driver to hang.
Looking a little deeper, it looks like the route of the SKB was
initially to "lo" and therefore no fragmentation was done. And it
looks like the route later got changed to the bnxt_en dev before
transmission. The user was doing multiple VM reboots and the bad
length was happening on the Linux host.
I can add a length check in the driver to prevent this. But is there
a better way to prevent this in the stack? Thanks.
Powered by blists - more mailing lists