From: Shmulik Ladkani <shmulik.ladkani@gmail.com>
To: pravin shelar <pshelar@ovn.org>
Cc: Jiri Pirko <jiri@mellanox.com>,
"David S . Miller" <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [PATCH] net: skbuff: Fix length validation in skb_vlan_pop()
Date: Mon, 19 Sep 2016 09:15:38 +0300 [thread overview]
Message-ID: <20160919091538.56defd2b@pixies> (raw)
In-Reply-To: <CAOrHB_D2ytTK9WjfCPL87E1QomeXg+2GfAvo8N8xCcJULhAC=w@mail.gmail.com>
Hi,
On Sun, 18 Sep 2016 13:26:30 -0700, pshelar@ovn.org wrote:
> On Sun, Sep 18, 2016 at 3:09 AM, Shmulik Ladkani
> <shmulik.ladkani@gmail.com> wrote:
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 1e329d4112..cc2c004838 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -4537,7 +4537,7 @@ int skb_vlan_pop(struct sk_buff *skb)
> > } else {
> > if (unlikely((skb->protocol != htons(ETH_P_8021Q) &&
> > skb->protocol != htons(ETH_P_8021AD)) ||
> > - skb->len < VLAN_ETH_HLEN))
> > + skb->mac_len < VLAN_ETH_HLEN))
>
> There is already check in __skb_vlan_pop() to validate skb for a vlan
> header. So it is safe to drop this check entirely.
Seems validation in '__skb_vlan_pop' has slightly different semantics:
unsigned int offset = skb->data - skb_mac_header(skb);
__skb_push(skb, offset);
err = skb_ensure_writable(skb, VLAN_ETH_HLEN);
this pushes 'data' back to mac_header, then makes sure there's sufficient
place in skb to _store_ VLAN_ETH_HLEN bytes (by pulling into linear part
if needed, or erroring if skb is too small).
There's no guarantee the original mac header was sized VLAN_ETH_HLEN.
Interpretation of the following
if (unlikely((skb->protocol != htons(ETH_P_8021Q) &&
skb->protocol != htons(ETH_P_8021AD)) ||
skb->len < VLAN_ETH_HLEN))
return 0;
in 'skb_vlan_pop' might be read as:
"there's no tag, or protocol says its a tag but it's insufficient to pop,
so lets do nothing".
Is it superflous?
Thanks,
Shmulik
next prev parent reply other threads:[~2016-09-19 6:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-18 10:09 [PATCH] net: skbuff: Fix length validation in skb_vlan_pop() Shmulik Ladkani
2016-09-18 20:26 ` pravin shelar
2016-09-19 6:15 ` Shmulik Ladkani [this message]
2016-09-19 12:22 ` Daniel Borkmann
2016-09-19 13:05 ` Shmulik Ladkani
2016-09-19 15:20 ` Shmulik Ladkani
2016-09-19 20:04 ` Shmulik Ladkani
2016-09-19 20:46 ` pravin shelar
2016-09-20 4:36 ` Shmulik Ladkani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160919091538.56defd2b@pixies \
--to=shmulik.ladkani@gmail.com \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=pshelar@ovn.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.