From: Bandan Das <bandan.das@stratus.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: "Jan Lübbe" <jluebbe@debian.org>,
"Scot Doyle" <lkml@scotdoyle.com>,
"Stephen Hemminger" <shemminger@vyatta.com>,
"Hiroaki SHIMODA" <shimoda.hiroaki@gmail.com>,
netdev@vger.kernel.org, "Bandan Das" <bandan.das@stratus.com>
Subject: Re: Kernel panic when using bridge
Date: Tue, 12 Apr 2011 12:32:01 -0400 [thread overview]
Message-ID: <20110412163201.GE2047@stratus.com> (raw)
In-Reply-To: <1302624851.3233.63.camel@edumazet-laptop>
On 0, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le mardi 12 avril 2011 à 17:13 +0200, Jan Lübbe a écrit :
> > On Tue, 2011-04-12 at 16:49 +0200, Eric Dumazet wrote:
> > > Of course, this might be a complete shot in the dark, but a
> > > stackprotector fault in icmp_send() really sounds like a problem in
> > > ip_options_echo() [ or bad input data given to this function ]
> >
> > It was my understanding that all IP options given to ip_options_echo are
> > either from local sources or have gone through ip_options_compile, which
> > seems to verify that the sum of the individual option lengths do not
> > exceed the ip header. So there wouldn't need to be additional checks in
> > ip_options_echo.
> >
> > If this is not the case, we need size checks in ip_options_echo before
> > copying over each option.
> >
> > > Other related changes (but as old as v2.6.22) :
> > >
> > > commit 11a03f78fbf15a866ba
> > > ([NetLabel]: core network changes)
> >
> > When investigating the problem I had with timestamps, i found that most
> > of the lines in ip_options_echo and _compile have not been changed since
> > before 2.2 (some even before 2.0). The newer changes have all been
> > updates for changed API elsewhere in the stack.
> >
>
> commit 462fb2af9788a82 might be the problem.
> (bridge : Sanitize skb before it enters the IP stack)
>
> We are supposed to provide a zeroed ip_options to ip_options_compile()
>
> diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
> index 008ff6c..f3bc322 100644
> --- a/net/bridge/br_netfilter.c
> +++ b/net/bridge/br_netfilter.c
> @@ -249,11 +249,9 @@ static int br_parse_ip_options(struct sk_buff *skb)
> goto drop;
> }
>
> - /* Zero out the CB buffer if no options present */
> - if (iph->ihl == 5) {
> - memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
> + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
> + if (iph->ihl == 5)
> return 0;
> - }
>
> opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
> if (ip_options_compile(dev_net(dev), opt, skb))
>
>
Looks good to me. The CB area should be cleared out anyways before
handing over the packet. Thank you for spotting this!
Acked-by: Bandan Das <bandan.das@stratus.com>
prev parent reply other threads:[~2011-04-12 16:44 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-08 1:20 Kernel panic when using bridge Scot Doyle
2011-04-08 13:49 ` Sebastian Nickel
2011-04-08 14:57 ` Scot Doyle
2011-04-08 19:12 ` Pallai Roland
2011-04-08 19:17 ` Stephen Hemminger
2011-04-09 4:51 ` Scot Doyle
2011-04-09 7:19 ` Hiroaki SHIMODA
2011-04-11 23:48 ` Scot Doyle
2011-04-12 1:31 ` Stephen Hemminger
2011-04-12 3:47 ` Scot Doyle
2011-04-12 4:09 ` Eric Dumazet
2011-04-12 4:22 ` Eric Dumazet
2011-04-12 5:17 ` Scot Doyle
2011-04-12 5:51 ` Eric Dumazet
2011-04-12 7:02 ` Scot Doyle
2011-04-12 7:31 ` Eric Dumazet
2011-04-12 8:39 ` [PATCH] inetpeer: reduce stack usage Eric Dumazet
2011-04-12 14:51 ` Hiroaki SHIMODA
2011-04-12 14:55 ` Eric Dumazet
2011-04-12 20:58 ` David Miller
2011-04-12 11:49 ` Kernel panic when using bridge Eric Dumazet
2011-04-12 13:02 ` Jan Lübbe
2011-04-12 13:15 ` Eric Dumazet
2011-04-12 14:19 ` Jan Lübbe
2011-04-12 14:49 ` Eric Dumazet
2011-04-12 15:13 ` Jan Lübbe
2011-04-12 16:14 ` Eric Dumazet
2011-04-12 16:20 ` Stephen Hemminger
2011-04-12 16:35 ` Eric Dumazet
2011-04-12 16:45 ` Bandan Das
2011-04-12 16:54 ` Eric Dumazet
2011-04-12 17:18 ` [PATCH] bridge: reset IPCB in br_parse_ip_options Eric Dumazet
2011-04-12 20:39 ` David Miller
2011-04-12 23:55 ` Scot Doyle
2011-04-13 4:12 ` Scot Doyle
2011-04-13 15:10 ` Scot Doyle
2011-04-13 15:24 ` Stephen Hemminger
2011-04-13 15:54 ` Scot Doyle
2011-04-13 15:28 ` Eric Dumazet
2011-04-13 21:48 ` David Miller
2011-04-14 0:03 ` Stephen Hemminger
2011-04-14 0:05 ` David Miller
2011-04-14 0:08 ` Stephen Hemminger
2011-04-14 2:31 ` Eric Dumazet
2011-04-14 2:54 ` Stephen Hemminger
2011-04-14 3:03 ` [PATCH] ip: ip_options_compile() resilient to NULL skb route Eric Dumazet
2011-04-14 3:30 ` Hiroaki SHIMODA
2011-04-14 3:37 ` Eric Dumazet
2011-04-14 4:15 ` Hiroaki SHIMODA
2011-04-14 13:34 ` Scot Doyle
2011-04-14 15:55 ` [PATCH v2] " Eric Dumazet
2011-04-14 22:02 ` Scot Doyle
2011-04-14 22:04 ` David Miller
2011-04-14 23:20 ` Hiroaki SHIMODA
2011-04-15 6:26 ` David Miller
2011-04-12 16:32 ` Bandan Das [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110412163201.GE2047@stratus.com \
--to=bandan.das@stratus.com \
--cc=eric.dumazet@gmail.com \
--cc=jluebbe@debian.org \
--cc=lkml@scotdoyle.com \
--cc=netdev@vger.kernel.org \
--cc=shemminger@vyatta.com \
--cc=shimoda.hiroaki@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.