lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACKFLim91WB__vrki_MtpZ5Evg7aDcV=ojgOMPPufVc2syJHOA@mail.gmail.com> Date: Sun, 20 Jan 2019 14:26:57 -0800 From: Michael Chan <michael.chan@...adcom.com> To: Netdev <netdev@...r.kernel.org>, David Miller <davem@...emloft.net> Subject: Stack sends oversize UDP packet to the driver I've received a bug report of oversized UDP packets sent to the bnxt_en driver for transmission. There is no check for illegal length in the driver and it will send a corrupted BD to the NIC if the non-TSO length exceeds the maximum MTU supported by the driver. This ultimately causes the driver to hang. Looking a little deeper, it looks like the route of the SKB was initially to "lo" and therefore no fragmentation was done. And it looks like the route later got changed to the bnxt_en dev before transmission. The user was doing multiple VM reboots and the bad length was happening on the Linux host. I can add a length check in the driver to prevent this. But is there a better way to prevent this in the stack? Thanks.
Powered by blists - more mailing lists