When sending a packet, we will prepend it with an LAPB header.
This modifies the shared parts of a cloned skb, so we should copy the
skb rather than just clone it, before we prepend the header.
In "Documentation/networking/driver.rst" (the 2nd point), it states
that drivers shouldn't modify the shared parts of a cloned skb when
transmitting.
The "dev_queue_xmit_nit" function in "net/core/dev.c", which is called
when an skb is being sent, clones the skb and sents the clone to
AF_PACKET sockets. Because the LAPB drivers first remove a 1-byte
pseudo-header before handing over the skb to us, if we don't copy the
skb before prepending the LAPB header, the first byte of the packets
received on AF_PACKET sockets can be corrupted.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Xie He <xie.he.0141@gmail.com>
Acked-by: Martin Schiller <ms@dev.tdt.de>
Link: https://lore.kernel.org/r/20210201055706.415842-1-xie.he.0141@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
		
	
			
		
			
				
	
	
		
			206 lines
		
	
	
		
			4.7 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			206 lines
		
	
	
		
			4.7 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0-or-later
 | |
| /*
 | |
|  *	LAPB release 002
 | |
|  *
 | |
|  *	This code REQUIRES 2.1.15 or higher/ NET3.038
 | |
|  *
 | |
|  *	History
 | |
|  *	LAPB 001	Jonathan Naylor	Started Coding
 | |
|  *	LAPB 002	Jonathan Naylor	New timer architecture.
 | |
|  */
 | |
| 
 | |
| #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 | |
| 
 | |
| #include <linux/errno.h>
 | |
| #include <linux/types.h>
 | |
| #include <linux/socket.h>
 | |
| #include <linux/in.h>
 | |
| #include <linux/kernel.h>
 | |
| #include <linux/timer.h>
 | |
| #include <linux/string.h>
 | |
| #include <linux/sockios.h>
 | |
| #include <linux/net.h>
 | |
| #include <linux/inet.h>
 | |
| #include <linux/skbuff.h>
 | |
| #include <linux/slab.h>
 | |
| #include <net/sock.h>
 | |
| #include <linux/uaccess.h>
 | |
| #include <linux/fcntl.h>
 | |
| #include <linux/mm.h>
 | |
| #include <linux/interrupt.h>
 | |
| #include <net/lapb.h>
 | |
| 
 | |
| /*
 | |
|  *  This procedure is passed a buffer descriptor for an iframe. It builds
 | |
|  *  the rest of the control part of the frame and then writes it out.
 | |
|  */
 | |
| static void lapb_send_iframe(struct lapb_cb *lapb, struct sk_buff *skb, int poll_bit)
 | |
| {
 | |
| 	unsigned char *frame;
 | |
| 
 | |
| 	if (!skb)
 | |
| 		return;
 | |
| 
 | |
| 	if (lapb->mode & LAPB_EXTENDED) {
 | |
| 		frame = skb_push(skb, 2);
 | |
| 
 | |
| 		frame[0] = LAPB_I;
 | |
| 		frame[0] |= lapb->vs << 1;
 | |
| 		frame[1] = poll_bit ? LAPB_EPF : 0;
 | |
| 		frame[1] |= lapb->vr << 1;
 | |
| 	} else {
 | |
| 		frame = skb_push(skb, 1);
 | |
| 
 | |
| 		*frame = LAPB_I;
 | |
| 		*frame |= poll_bit ? LAPB_SPF : 0;
 | |
| 		*frame |= lapb->vr << 5;
 | |
| 		*frame |= lapb->vs << 1;
 | |
| 	}
 | |
| 
 | |
| 	lapb_dbg(1, "(%p) S%d TX I(%d) S%d R%d\n",
 | |
| 		 lapb->dev, lapb->state, poll_bit, lapb->vs, lapb->vr);
 | |
| 
 | |
| 	lapb_transmit_buffer(lapb, skb, LAPB_COMMAND);
 | |
| }
 | |
| 
 | |
| void lapb_kick(struct lapb_cb *lapb)
 | |
| {
 | |
| 	struct sk_buff *skb, *skbn;
 | |
| 	unsigned short modulus, start, end;
 | |
| 
 | |
| 	modulus = (lapb->mode & LAPB_EXTENDED) ? LAPB_EMODULUS : LAPB_SMODULUS;
 | |
| 	start = !skb_peek(&lapb->ack_queue) ? lapb->va : lapb->vs;
 | |
| 	end   = (lapb->va + lapb->window) % modulus;
 | |
| 
 | |
| 	if (!(lapb->condition & LAPB_PEER_RX_BUSY_CONDITION) &&
 | |
| 	    start != end && skb_peek(&lapb->write_queue)) {
 | |
| 		lapb->vs = start;
 | |
| 
 | |
| 		/*
 | |
| 		 * Dequeue the frame and copy it.
 | |
| 		 */
 | |
| 		skb = skb_dequeue(&lapb->write_queue);
 | |
| 
 | |
| 		do {
 | |
| 			skbn = skb_copy(skb, GFP_ATOMIC);
 | |
| 			if (!skbn) {
 | |
| 				skb_queue_head(&lapb->write_queue, skb);
 | |
| 				break;
 | |
| 			}
 | |
| 
 | |
| 			if (skb->sk)
 | |
| 				skb_set_owner_w(skbn, skb->sk);
 | |
| 
 | |
| 			/*
 | |
| 			 * Transmit the frame copy.
 | |
| 			 */
 | |
| 			lapb_send_iframe(lapb, skbn, LAPB_POLLOFF);
 | |
| 
 | |
| 			lapb->vs = (lapb->vs + 1) % modulus;
 | |
| 
 | |
| 			/*
 | |
| 			 * Requeue the original data frame.
 | |
| 			 */
 | |
| 			skb_queue_tail(&lapb->ack_queue, skb);
 | |
| 
 | |
| 		} while (lapb->vs != end && (skb = skb_dequeue(&lapb->write_queue)) != NULL);
 | |
| 
 | |
| 		lapb->condition &= ~LAPB_ACK_PENDING_CONDITION;
 | |
| 
 | |
| 		if (!lapb_t1timer_running(lapb))
 | |
| 			lapb_start_t1timer(lapb);
 | |
| 	}
 | |
| }
 | |
| 
 | |
| void lapb_transmit_buffer(struct lapb_cb *lapb, struct sk_buff *skb, int type)
 | |
| {
 | |
| 	unsigned char *ptr;
 | |
| 
 | |
| 	ptr = skb_push(skb, 1);
 | |
| 
 | |
| 	if (lapb->mode & LAPB_MLP) {
 | |
| 		if (lapb->mode & LAPB_DCE) {
 | |
| 			if (type == LAPB_COMMAND)
 | |
| 				*ptr = LAPB_ADDR_C;
 | |
| 			if (type == LAPB_RESPONSE)
 | |
| 				*ptr = LAPB_ADDR_D;
 | |
| 		} else {
 | |
| 			if (type == LAPB_COMMAND)
 | |
| 				*ptr = LAPB_ADDR_D;
 | |
| 			if (type == LAPB_RESPONSE)
 | |
| 				*ptr = LAPB_ADDR_C;
 | |
| 		}
 | |
| 	} else {
 | |
| 		if (lapb->mode & LAPB_DCE) {
 | |
| 			if (type == LAPB_COMMAND)
 | |
| 				*ptr = LAPB_ADDR_A;
 | |
| 			if (type == LAPB_RESPONSE)
 | |
| 				*ptr = LAPB_ADDR_B;
 | |
| 		} else {
 | |
| 			if (type == LAPB_COMMAND)
 | |
| 				*ptr = LAPB_ADDR_B;
 | |
| 			if (type == LAPB_RESPONSE)
 | |
| 				*ptr = LAPB_ADDR_A;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	lapb_dbg(2, "(%p) S%d TX %3ph\n", lapb->dev, lapb->state, skb->data);
 | |
| 
 | |
| 	if (!lapb_data_transmit(lapb, skb))
 | |
| 		kfree_skb(skb);
 | |
| }
 | |
| 
 | |
| void lapb_establish_data_link(struct lapb_cb *lapb)
 | |
| {
 | |
| 	lapb->condition = 0x00;
 | |
| 	lapb->n2count   = 0;
 | |
| 
 | |
| 	if (lapb->mode & LAPB_EXTENDED) {
 | |
| 		lapb_dbg(1, "(%p) S%d TX SABME(1)\n", lapb->dev, lapb->state);
 | |
| 		lapb_send_control(lapb, LAPB_SABME, LAPB_POLLON, LAPB_COMMAND);
 | |
| 	} else {
 | |
| 		lapb_dbg(1, "(%p) S%d TX SABM(1)\n", lapb->dev, lapb->state);
 | |
| 		lapb_send_control(lapb, LAPB_SABM, LAPB_POLLON, LAPB_COMMAND);
 | |
| 	}
 | |
| 
 | |
| 	lapb_start_t1timer(lapb);
 | |
| 	lapb_stop_t2timer(lapb);
 | |
| }
 | |
| 
 | |
| void lapb_enquiry_response(struct lapb_cb *lapb)
 | |
| {
 | |
| 	lapb_dbg(1, "(%p) S%d TX RR(1) R%d\n",
 | |
| 		 lapb->dev, lapb->state, lapb->vr);
 | |
| 
 | |
| 	lapb_send_control(lapb, LAPB_RR, LAPB_POLLON, LAPB_RESPONSE);
 | |
| 
 | |
| 	lapb->condition &= ~LAPB_ACK_PENDING_CONDITION;
 | |
| }
 | |
| 
 | |
| void lapb_timeout_response(struct lapb_cb *lapb)
 | |
| {
 | |
| 	lapb_dbg(1, "(%p) S%d TX RR(0) R%d\n",
 | |
| 		 lapb->dev, lapb->state, lapb->vr);
 | |
| 	lapb_send_control(lapb, LAPB_RR, LAPB_POLLOFF, LAPB_RESPONSE);
 | |
| 
 | |
| 	lapb->condition &= ~LAPB_ACK_PENDING_CONDITION;
 | |
| }
 | |
| 
 | |
| void lapb_check_iframes_acked(struct lapb_cb *lapb, unsigned short nr)
 | |
| {
 | |
| 	if (lapb->vs == nr) {
 | |
| 		lapb_frames_acked(lapb, nr);
 | |
| 		lapb_stop_t1timer(lapb);
 | |
| 		lapb->n2count = 0;
 | |
| 	} else if (lapb->va != nr) {
 | |
| 		lapb_frames_acked(lapb, nr);
 | |
| 		lapb_start_t1timer(lapb);
 | |
| 	}
 | |
| }
 | |
| 
 | |
| void lapb_check_need_response(struct lapb_cb *lapb, int type, int pf)
 | |
| {
 | |
| 	if (type == LAPB_COMMAND && pf)
 | |
| 		lapb_enquiry_response(lapb);
 | |
| }
 |