[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3

To: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
From: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Date: Thu, 26 Aug 2010 10:34:43 +0200
Cc: Jeremy Fitzhardinge <jeremy@xxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, "netdev@xxxxxxxxxxxxxxx" <netdev@xxxxxxxxxxxxxxx>, "bugzilla-daemon@xxxxxxxxxxxxxxxxxxx" <bugzilla-daemon@xxxxxxxxxxxxxxxxxxx>, James Chapman <jchapman@xxxxxxxxxxx>, Chris Wright <chrisw@xxxxxxxxxxxx>, "bugme-daemon@xxxxxxxxxxxxxxxxxxx" <bugme-daemon@xxxxxxxxxxxxxxxxxxx>, "heil@xxxxxxxxxxxxxxxxxxxxxx" <heil@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, David Miller <davem@xxxxxxxxxxxxx>
Delivery-date: Thu, 26 Aug 2010 10:44:14 -0700
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=ezTCED1PJRTYIjXJRiyLf++yRMzmwpZvGqlLBMU4kDZRc20a3tIkkQQNFDTvgz96U/ YAZai4fIRzlEx28NTSd+XNMw/yyJn8OlpmEqZqhxHCv9Ux39Qetev8LhFT7jQvkUPmMs EgW9G+mc99xSNE/3/1ouU6VK58o0LDjohY5Oc=
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Le jeudi 26 aoÃt 2010 Ã 09:14 +0100, Ian Campbell a Ãcrit :
> On Thu, 2010-08-26 at 09:03 +0100, Eric Dumazet wrote:
> > Here is the patch, could you test it please ?
> > 
> > Thanks !
> > 
> > [PATCH] l2tp: test for malicious frames in l2tp_eth_dev_recv()
> > 
> > close https://bugzilla.kernel.org/show_bug.cgi?id=16529
> > 
> > Before calling dev_forward_skb(), we should make sure skb contains at
> > least an ethernet header, even if length included in upper layer said
> > so.
> 
> Does this imply that there is some problem with xen-netfront setting
> skb->len or skb->data_len or something incorrectly? It's not clear where
> data_len has come from in this context.

data_len is a 16bit field provided in a prior encapsulation header,
provided by user (untrusted source)

Some buggy or malicious software sent an invalid frame,


< encapsulation [len=1000] >  < 'runt' eth frame (len<14) > 

Another fix would be to change l2tp_recv_dequeue_skb(), and check

L2TP_SKB_CB(skb)->length against skb->len, before calling 

(*session->recv_skb)(session, skb, length);


I prefer the one liner patch I sent you, as a minimum fix.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Ian Campbell

References:
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Jeremy Fitzhardinge
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Ian Campbell
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Eric Dumazet
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Ian Campbell

Prev by Date: [Xen-devel] Re: you patch "block: push down BKL into .open and .release" and its changes to xen-blkfront.c
Next by Date: [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
Previous by thread: [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
Next by thread: [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.