lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACKFLim91WB__vrki_MtpZ5Evg7aDcV=ojgOMPPufVc2syJHOA@mail.gmail.com>
Date:   Sun, 20 Jan 2019 14:26:57 -0800
From:   Michael Chan <michael.chan@...adcom.com>
To:     Netdev <netdev@...r.kernel.org>, David Miller <davem@...emloft.net>
Subject: Stack sends oversize UDP packet to the driver

I've received a bug report of oversized UDP packets sent to the
bnxt_en driver for transmission.  There is no check for illegal length
in the driver and it will send a corrupted BD to the NIC if the
non-TSO length exceeds the maximum MTU supported by the driver.  This
ultimately causes the driver to hang.

Looking a little deeper, it looks like the route of the SKB was
initially to "lo" and therefore no fragmentation was done.  And it
looks like the route later got changed to the bnxt_en dev before
transmission.  The user was doing multiple VM reboots and the bad
length was happening on the Linux host.

I can add a length check in the driver to prevent this.  But is there
a better way to prevent this in the stack?  Thanks.

Powered by blists - more mailing lists