mirror of
https://github.com/torvalds/linux.git
synced 2024-10-30 08:42:47 +00:00
packet: Don't write vnet header beyond end of buffer
... which may happen with certain values of tp_reserve and maclen.
Fixes: 58d19b19cd
("packet: vnet_hdr support for tpacket_rcv")
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Cc: Willem de Bruijn <willemb@google.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
d55c60eba0
commit
edbd58be15
@ -2191,6 +2191,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
|
|||||||
struct timespec ts;
|
struct timespec ts;
|
||||||
__u32 ts_status;
|
__u32 ts_status;
|
||||||
bool is_drop_n_account = false;
|
bool is_drop_n_account = false;
|
||||||
|
bool do_vnet = false;
|
||||||
|
|
||||||
/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
|
/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
|
||||||
* We may add members to them until current aligned size without forcing
|
* We may add members to them until current aligned size without forcing
|
||||||
@ -2241,8 +2242,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
|
|||||||
netoff = TPACKET_ALIGN(po->tp_hdrlen +
|
netoff = TPACKET_ALIGN(po->tp_hdrlen +
|
||||||
(maclen < 16 ? 16 : maclen)) +
|
(maclen < 16 ? 16 : maclen)) +
|
||||||
po->tp_reserve;
|
po->tp_reserve;
|
||||||
if (po->has_vnet_hdr)
|
if (po->has_vnet_hdr) {
|
||||||
netoff += sizeof(struct virtio_net_hdr);
|
netoff += sizeof(struct virtio_net_hdr);
|
||||||
|
do_vnet = true;
|
||||||
|
}
|
||||||
macoff = netoff - maclen;
|
macoff = netoff - maclen;
|
||||||
}
|
}
|
||||||
if (po->tp_version <= TPACKET_V2) {
|
if (po->tp_version <= TPACKET_V2) {
|
||||||
@ -2259,8 +2262,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
|
|||||||
skb_set_owner_r(copy_skb, sk);
|
skb_set_owner_r(copy_skb, sk);
|
||||||
}
|
}
|
||||||
snaplen = po->rx_ring.frame_size - macoff;
|
snaplen = po->rx_ring.frame_size - macoff;
|
||||||
if ((int)snaplen < 0)
|
if ((int)snaplen < 0) {
|
||||||
snaplen = 0;
|
snaplen = 0;
|
||||||
|
do_vnet = false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else if (unlikely(macoff + snaplen >
|
} else if (unlikely(macoff + snaplen >
|
||||||
GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
|
GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
|
||||||
@ -2273,6 +2278,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
|
|||||||
if (unlikely((int)snaplen < 0)) {
|
if (unlikely((int)snaplen < 0)) {
|
||||||
snaplen = 0;
|
snaplen = 0;
|
||||||
macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
|
macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
|
||||||
|
do_vnet = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
spin_lock(&sk->sk_receive_queue.lock);
|
spin_lock(&sk->sk_receive_queue.lock);
|
||||||
@ -2298,7 +2304,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
|
|||||||
}
|
}
|
||||||
spin_unlock(&sk->sk_receive_queue.lock);
|
spin_unlock(&sk->sk_receive_queue.lock);
|
||||||
|
|
||||||
if (po->has_vnet_hdr) {
|
if (do_vnet) {
|
||||||
if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
|
if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
|
||||||
sizeof(struct virtio_net_hdr),
|
sizeof(struct virtio_net_hdr),
|
||||||
vio_le(), true)) {
|
vio_le(), true)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user