From: Stephen Hemminger <stephen@networkplumber.org>
To: Haiyang Zhang <haiyangz@linuxonhyperv.com>
Cc: olaf@aepfle.de, sthemmin@microsoft.com, netdev@vger.kernel.org,
haiyangz@microsoft.com, linux-kernel@vger.kernel.org,
devel@linuxdriverproject.org, vkuznets@redhat.com,
davem@davemloft.net
Subject: Re: [PATCH net-next, 2/2] hv_netvsc: Add range checking for rx packet offset and length
Date: Tue, 27 Mar 2018 08:22:45 -0700 [thread overview]
Message-ID: <20180327082245.591612dc@xeon-e3> (raw)
In-Reply-To: <20180322190114.25596-3-haiyangz@linuxonhyperv.com>
On Thu, 22 Mar 2018 12:01:14 -0700
Haiyang Zhang <haiyangz@linuxonhyperv.com> wrote:
> From: Haiyang Zhang <haiyangz@microsoft.com>
>
> This patch adds range checking for rx packet offset and length.
> It may only happen if there is a host side bug.
>
> Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
> ---
> drivers/net/hyperv/hyperv_net.h | 1 +
> drivers/net/hyperv/netvsc.c | 17 +++++++++++++++--
> 2 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
> index 0db3bd1ea06f..49c05ac894e5 100644
> --- a/drivers/net/hyperv/hyperv_net.h
> +++ b/drivers/net/hyperv/hyperv_net.h
> @@ -793,6 +793,7 @@ struct netvsc_device {
>
> /* Receive buffer allocated by us but manages by NetVSP */
> void *recv_buf;
> + u32 recv_buf_size; /* allocated bytes */
> u32 recv_buf_gpadl_handle;
> u32 recv_section_cnt;
> u32 recv_section_size;
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index 1ddb2c39b6e4..a6700d65f206 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -289,6 +289,8 @@ static int netvsc_init_buf(struct hv_device *device,
> goto cleanup;
> }
>
> + net_device->recv_buf_size = buf_size;
> +
> /*
> * Establish the gpadl handle for this buffer on this
> * channel. Note: This call uses the vmbus connection rather
> @@ -1095,11 +1097,22 @@ static int netvsc_receive(struct net_device *ndev,
>
> /* Each range represents 1 RNDIS pkt that contains 1 ethernet frame */
> for (i = 0; i < count; i++) {
> - void *data = recv_buf
> - + vmxferpage_packet->ranges[i].byte_offset;
> + u32 offset = vmxferpage_packet->ranges[i].byte_offset;
> u32 buflen = vmxferpage_packet->ranges[i].byte_count;
> + void *data;
> int ret;
>
> + if (unlikely(offset + buflen > net_device->recv_buf_size)) {
> + status = NVSP_STAT_FAIL;
> + netif_err(net_device_ctx, rx_err, ndev,
> + "Packet offset:%u + len:%u too big\n",
> + offset, buflen);
> +
> + continue;
> + }
> +
If one part of the RNDIS packet is wrong then the whole receive
buffer is damaged. Just return, don't continue.
It could really just be a statistic and a one shot log message.
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next prev parent reply other threads:[~2018-03-27 15:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-22 19:01 [PATCH net-next,0/2] hv_netvsc: Fix/improve RX path error handling Haiyang Zhang
2018-03-22 19:01 ` [PATCH net-next,1/2] hv_netvsc: Fix the return status in RX path Haiyang Zhang
2018-03-24 16:48 ` Michael Kelley (EOSG)
2018-03-25 0:41 ` Haiyang Zhang
2018-03-22 19:01 ` [PATCH net-next, 2/2] hv_netvsc: Add range checking for rx packet offset and length Haiyang Zhang
2018-03-23 15:17 ` Vitaly Kuznetsov
2018-03-23 15:25 ` [PATCH net-next,2/2] " Haiyang Zhang
2018-03-27 15:22 ` Stephen Hemminger [this message]
2018-03-27 15:35 ` [PATCH net-next, 2/2] " Haiyang Zhang
2018-03-25 21:08 ` [PATCH net-next,0/2] hv_netvsc: Fix/improve RX path error handling David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180327082245.591612dc@xeon-e3 \
--to=stephen@networkplumber.org \
--cc=davem@davemloft.net \
--cc=devel@linuxdriverproject.org \
--cc=haiyangz@linuxonhyperv.com \
--cc=haiyangz@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olaf@aepfle.de \
--cc=sthemmin@microsoft.com \
--cc=vkuznets@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.