From: Stephen Hemminger <shemminger@vyatta.com>
To: David Miller <davem@davemloft.net>, Changli Gao <xiaosuo@gmail.com>
Cc: netdev@vger.kernel.org
Subject: [PATCH] u32: negative offset fix
Date: Mon, 2 Aug 2010 16:44:13 -0700 [thread overview]
Message-ID: <20100802164413.6f327ce6@nehalam> (raw)
In-Reply-To: <20100802220030.991706005@vyatta.com>
It was possible to use a negative offset in a u32 match to reference
the ethernet header or other parts of the link layer header.
This fixes the regression caused by:
commit fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d
Author: Changli Gao <xiaosuo@gmail.com>
Date: Wed Jun 2 07:32:42 2010 -0700
cls_u32: use skb_header_pointer() to dereference data safely
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
---
Combines change to signed type and check in one patch.
--- a/net/sched/cls_u32.c 2010-08-02 15:02:36.778304996 -0700
+++ b/net/sched/cls_u32.c 2010-08-02 16:25:40.661661091 -0700
@@ -134,10 +134,12 @@ next_knode:
#endif
for (i = n->sel.nkeys; i>0; i--, key++) {
- unsigned int toff;
+ int toff = off + key->off + (off2 & key->offmask);
__be32 *data, _data;
+
+ if (skb_headroom(skb) + toff < 0)
+ goto out;
- toff = off + key->off + (off2 & key->offmask);
data = skb_header_pointer(skb, toff, 4, &_data);
if (!data)
goto out;
next prev parent reply other threads:[~2010-08-02 23:44 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-02 22:00 [PATCH 0/4] u32 classifier fixes Stephen Hemminger
2010-08-02 22:00 ` [PATCH 1/4] net: check for reference outside of skb Stephen Hemminger
2010-08-02 22:59 ` David Miller
2010-08-02 23:11 ` Changli Gao
2010-08-02 23:21 ` Stephen Hemminger
2010-08-02 23:25 ` Changli Gao
2010-08-02 22:00 ` [PATCH 2/4] net: add likely/unlikely to skb_header_pointer Stephen Hemminger
2010-08-02 22:00 ` [PATCH 3/4] u32: allow negative offset Stephen Hemminger
2010-08-02 22:00 ` [PATCH 4/4] u32: use get_unaligned_be32 Stephen Hemminger
2010-08-02 22:34 ` Changli Gao
2010-08-02 22:45 ` Stephen Hemminger
2010-08-02 22:55 ` Ben Hutchings
2010-08-02 23:01 ` Changli Gao
2010-08-02 23:44 ` Stephen Hemminger [this message]
2010-08-03 5:08 ` [PATCH] u32: negative offset fix David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100802164413.6f327ce6@nehalam \
--to=shemminger@vyatta.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.