On Tue, 2010-01-12 at 17:56 -0800, Brandeburg, Jesse wrote: > On Wed, 6 Jan 2010, Brandeburg, Jesse wrote: > > a counter patch, without atomic ops, since we are protected by napi when > > modifying this variable. > > > > Originally From: Neil Horman > > Modified by: Jesse Brandeburg > > > > > > Hey all- > > A security discussion was recently given: > > http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html > > And a patch that I submitted awhile back was brought up. Apparently some of > > their testing revealed that they were able to force a buffer fragment in e1000 > > in which the trailing fragment was greater than 4 bytes. As a result the > > fragment check I introduced failed to detect the fragement and a partial > > invalid frame was passed up into the network stack. I've written this patch > > to correct it. I'm in the process of testing it now, but it makes good > > logical sense to me. Effectively it maintains a per-adapter state variable > > which detects a non-EOP frame, and discards it and subsequent non-EOP frames > > leading up to _and_ _including_ the next positive-EOP frame (as it is by > > definition the last fragment). This should prevent any and all partial frames > > from entering the network stack from e1000. > > > > Signed-off-by: Jesse Brandeburg > > I would like to withdraw this patch, at least for 2.6.32+ e1000 and e1000e > are both not susceptible to this attack. We have verified the below with > testing, including code modifications to guarantee the correct paths were > taken when receiving overlong frames. [...] > I believe RedHat has not backported this patch, and kernels <= 2.6.31 > still need the fix, so both need some version of this workaround, but > 2.6.32 does not. [...] There's also the 2.6.27 stable series, and several long-term supported distributions. I'm particularly interested in getting a patch for Debian 5.0's kernel based on 2.6.26. Please advise what would be a suitable change for the older kernel versions. Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyou