From: Shmulik Ladkani <shmulik.ladkani@gmail.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: pravin shelar <pshelar@ovn.org>, Jiri Pirko <jiri@mellanox.com>,
"David S . Miller" <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [PATCH] net: skbuff: Fix length validation in skb_vlan_pop()
Date: Mon, 19 Sep 2016 16:05:17 +0300 [thread overview]
Message-ID: <20160919160517.6ee28bde@pixies> (raw)
In-Reply-To: <57DFD8A1.1090103@iogearbox.net>
On Mon, 19 Sep 2016 14:22:57 +0200, daniel@iogearbox.net wrote:
> On 09/19/2016 08:15 AM, Shmulik Ladkani wrote:
> > On Sun, 18 Sep 2016 13:26:30 -0700, pshelar@ovn.org wrote:
> >> On Sun, Sep 18, 2016 at 3:09 AM, Shmulik Ladkani
> >> <shmulik.ladkani@gmail.com> wrote:
> >>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> >>> index 1e329d4112..cc2c004838 100644
> >>> --- a/net/core/skbuff.c
> >>> +++ b/net/core/skbuff.c
> >>> @@ -4537,7 +4537,7 @@ int skb_vlan_pop(struct sk_buff *skb)
> >>> } else {
> >>> if (unlikely((skb->protocol != htons(ETH_P_8021Q) &&
> >>> skb->protocol != htons(ETH_P_8021AD)) ||
> >>> - skb->len < VLAN_ETH_HLEN))
> >>> + skb->mac_len < VLAN_ETH_HLEN))
> >>
> >> There is already check in __skb_vlan_pop() to validate skb for a vlan
> >> header. So it is safe to drop this check entirely.
> >
> > Seems validation in '__skb_vlan_pop' has slightly different semantics:
> >
> > unsigned int offset = skb->data - skb_mac_header(skb);
> >
> > __skb_push(skb, offset);
> > err = skb_ensure_writable(skb, VLAN_ETH_HLEN);
> >
> > this pushes 'data' back to mac_header, then makes sure there's sufficient
> > place in skb to _store_ VLAN_ETH_HLEN bytes (by pulling into linear part
> > if needed, or erroring if skb is too small).
>
> Yes, but this skb_ensure_writable() is needed for doing the memmove anyway.
Had no intention dropping the skb_ensure_writable from __skb_vlan_pop :)
> > There's no guarantee the original mac header was sized VLAN_ETH_HLEN.
>
> I'm wondering, what happens when you'd call this on tx path, when you'd
> change that to suggested skb->mac_len? Isn't that 0 in such case, thus
> such setups could fail then?
Thanks, I think you're right.
Seems __dev_queue_xmit needs a 'skb_reset_mac_len' right after call to
'skb_reset_mac_header' (or maybe call 'skb_reset_mac_len' from within
skb_reset_mac_header?).
Also, I'm okay with removing the excess 'skb->mac_len < VLAN_ETH_HLEN'
condition if it is agreed that the "tag exists but insufficient to pop"
semantic is no longer wanted.
Regards,
Shmulik
next prev parent reply other threads:[~2016-09-19 13:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-18 10:09 [PATCH] net: skbuff: Fix length validation in skb_vlan_pop() Shmulik Ladkani
2016-09-18 20:26 ` pravin shelar
2016-09-19 6:15 ` Shmulik Ladkani
2016-09-19 12:22 ` Daniel Borkmann
2016-09-19 13:05 ` Shmulik Ladkani [this message]
2016-09-19 15:20 ` Shmulik Ladkani
2016-09-19 20:04 ` Shmulik Ladkani
2016-09-19 20:46 ` pravin shelar
2016-09-20 4:36 ` Shmulik Ladkani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160919160517.6ee28bde@pixies \
--to=shmulik.ladkani@gmail.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=pshelar@ovn.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.