lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ad0d23a8d3c246d5ff10c52b52a8175c@linux.vnet.ibm.com>
Date:   Mon, 12 Oct 2020 15:30:12 -0700
From:   dwilder <dwilder@...ibm.com>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     Willem de Bruijn <willemdebruijn.kernel@...il.com>,
        Network Development <netdev@...r.kernel.org>,
        tlfalcon@...ux.ibm.com, cris.forno@....com,
        pradeeps@...ux.vnet.ibm.com, wilder@...ibm.com
Subject: RE: [ PATCH v1 2/2] ibmveth: Identify ingress large send packets.

On 2020-10-11 11:31, Jakub Kicinski wrote:
> On Sat, 10 Oct 2020 12:51:30 -0400 Willem de Bruijn wrote:
>> > > @@ -1385,7 +1386,17 @@ static int ibmveth_poll(struct napi_struct *napi, int budget)
>> > >                         skb_put(skb, length);
>> > >                         skb->protocol = eth_type_trans(skb, netdev);
>> > >
>> > > -                       if (length > netdev->mtu + ETH_HLEN) {
>> > > +                       /* PHYP without PLSO support places a -1 in the ip
>> > > +                        * checksum for large send frames.
>> > > +                        */
>> > > +                       if (be16_to_cpu(skb->protocol) == ETH_P_IP) {
> 
> You can byteswap the constant, so its done at compilation time.

Thanks for the comments.

For V2 of patch I will change above to BE16_TO_CPU()

> 
>> > > +                               struct iphdr *iph = (struct iphdr *)skb->data;
>> > > +
>> > > +                               iph_check = iph->check;
>> >
>> > Check against truncated/bad packets.
>> 
>> .. unless I missed context. Other code in this driver seems to peek in
>> the network and transport layer headers without additional geometry
>> and integrity checks, too.
> 
> Good catch, even if we trust the hypervisor to only forward valid
> frames this needs to be at least mentioned in the commit message.
> 
> Also please add Fixes tags to both patches.

For V2: ( posting soon )
-Will add Fix tags
-update commit message re: validity of frames from Hypervisor.
-switch be16_to_cpu() to BE16_TO_CPU().

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ