| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dd6df3ee84110649d901f041883c3d44c0798cda.camel@mendozajonas.com>
Date: Tue, 12 Oct 2021 19:46:28 -0700
From: Samuel Mendoza-Jonas <sam@...dozajonas.com>
To: Joel Stanley <joel@....id.au>,
Kumar Thangavel <kumarthangavel.hcl@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
linux-aspeed <linux-aspeed@...ts.ozlabs.org>,
Networking <netdev@...r.kernel.org>,
OpenBMC Maillist <openbmc@...ts.ozlabs.org>,
Amithash Prasad <amithash@...com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
velumanit@....com, patrickw3@...com
Subject: Re: [PATCH] net: ncsi: Adding padding bytes in the payload
On Tue, 2021-10-12 at 22:44 +0000, Joel Stanley wrote:
> On Tue, 12 Oct 2021 at 06:23, Kumar Thangavel
> <kumarthangavel.hcl@...il.com> wrote:
> >
> > Update NC-SI command handler (both standard and OEM) to take into
> > account of payload paddings in allocating skb (in case of payload
> > size is not 32-bit aligned).
> >
> > The checksum field follows payload field, without taking payload
> > padding into account can cause checksum being truncated, leading to
> > dropped packets.
>
> Can you help us review this by pointing out where this is described in
> the NCSI spec?
>
> We've been running this code for a number of years now and I wonder
> why this hasn't been a problem so far.
I'm assuming this is referencing section 8.2.2.2:
If the payload is present and does not end on a 32-bit boundary, one to
three padding bytes equal to 0x00 shall be present to align the
checksum field to a 32-bit boundary.
But I'm also surprised this hasn't caused issues so far if we've been
getting it wrong. Is there an example that reproduces the issue?
Cheers,
Sam
>
> Cheers,
>
> Joel
>
> >
> > Signed-off-by: Kumar Thangavel <thangavel.k@....com>
> >
> > ---
> > net/ncsi/ncsi-cmd.c | 21 +++++++++++++++++----
> > 1 file changed, 17 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
> > index ba9ae482141b..4625fc935603 100644
> > --- a/net/ncsi/ncsi-cmd.c
> > +++ b/net/ncsi/ncsi-cmd.c
> > @@ -214,11 +214,19 @@ static int ncsi_cmd_handler_oem(struct sk_buff
> > *skb,
> > struct ncsi_cmd_oem_pkt *cmd;
> > unsigned int len;
> >
> > + /* NC-SI spec requires payload to be padded with 0
> > + * to 32-bit boundary before the checksum field.
> > + * Ensure the padding bytes are accounted for in
> > + * skb allocation
> > + */
> > +
> > + unsigned short payload = ALIGN(nca->payload, 4);
> > +
> > len = sizeof(struct ncsi_cmd_pkt_hdr) + 4;
> > - if (nca->payload < 26)
> > + if (payload < 26)
> > len += 26;
> > else
> > - len += nca->payload;
> > + len += payload;
> >
> > cmd = skb_put_zero(skb, len);
> > memcpy(&cmd->mfr_id, nca->data, nca->payload);
> > @@ -272,6 +280,7 @@ static struct ncsi_request
> > *ncsi_alloc_command(struct ncsi_cmd_arg *nca)
> > struct net_device *dev = nd->dev;
> > int hlen = LL_RESERVED_SPACE(dev);
> > int tlen = dev->needed_tailroom;
> > + int payload;
> > int len = hlen + tlen;
> > struct sk_buff *skb;
> > struct ncsi_request *nr;
> > @@ -281,14 +290,18 @@ static struct ncsi_request
> > *ncsi_alloc_command(struct ncsi_cmd_arg *nca)
> > return NULL;
> >
> > /* NCSI command packet has 16-bytes header, payload, 4 bytes
> > checksum.
> > + * Payload needs padding so that the checksum field follwoing
> > payload is
> > + * aligned to 32bit boundary.
> > * The packet needs padding if its payload is less than 26
> > bytes to
> > * meet 64 bytes minimal ethernet frame length.
> > */
> > len += sizeof(struct ncsi_cmd_pkt_hdr) + 4;
> > - if (nca->payload < 26)
> > +
> > + payload = ALIGN(nca->payload, 4);
> > + if (payload < 26)
> > len += 26;
> > else
> > - len += nca->payload;
> > + len += payload;
> >
> > /* Allocate skb */
> > skb = alloc_skb(len, GFP_ATOMIC);
> > --
> > 2.17.1
> >
Powered by blists - more mailing lists