lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Feb 2023 21:08:01 -0800 From: Michael Kelley <mikelley@...rosoft.com> To: kys@...rosoft.com, haiyangz@...rosoft.com, wei.liu@...nel.org, decui@...rosoft.com, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org, linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org Cc: mikelley@...rosoft.com Subject: [PATCH net-next v3 1/1] hv_netvsc: Check status in SEND_RNDIS_PKT completion message Completion responses to SEND_RNDIS_PKT messages are currently processed regardless of the status in the response, so that resources associated with the request are freed. While this is appropriate, code bugs that cause sending a malformed message, or errors on the Hyper-V host, go undetected. Fix this by checking the status and outputting a rate-limited message if there is an error. Signed-off-by: Michael Kelley <mikelley@...rosoft.com> --- Changes in v3: * Fix rate-limit logic when msglen is too small [Haiyang Zhang] Changes in v2: * Add rate-limiting to error messages [Haiyang Zhang] drivers/net/hyperv/netvsc.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c index 661bbe6..f702807 100644 --- a/drivers/net/hyperv/netvsc.c +++ b/drivers/net/hyperv/netvsc.c @@ -813,6 +813,7 @@ static void netvsc_send_completion(struct net_device *ndev, u32 msglen = hv_pkt_datalen(desc); struct nvsp_message *pkt_rqst; u64 cmd_rqst; + u32 status; /* First check if this is a VMBUS completion without data payload */ if (!msglen) { @@ -884,6 +885,23 @@ static void netvsc_send_completion(struct net_device *ndev, break; case NVSP_MSG1_TYPE_SEND_RNDIS_PKT_COMPLETE: + if (msglen < sizeof(struct nvsp_message_header) + + sizeof(struct nvsp_1_message_send_rndis_packet_complete)) { + if (net_ratelimit()) + netdev_err(ndev, "nvsp_rndis_pkt_complete length too small: %u\n", + msglen); + return; + } + + /* If status indicates an error, output a message so we know + * there's a problem. But process the completion anyway so the + * resources are released. + */ + status = nvsp_packet->msg.v1_msg.send_rndis_pkt_complete.status; + if (status != NVSP_STAT_SUCCESS && net_ratelimit()) + netdev_err(ndev, "nvsp_rndis_pkt_complete error status: %x\n", + status); + netvsc_send_tx_complete(ndev, net_device, incoming_channel, desc, budget); break; -- 1.8.3.1
Powered by blists - more mailing lists