From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
To: Vlad Yasevich <vyasevic@redhat.com>, netdev@vger.kernel.org
Cc: bridge@lists.linux-foundation.org
Subject: Re: [Bridge] [PATCH] bridge: Fix crash with vlan filtering and tcpdump
Date: Fri, 28 Mar 2014 00:36:10 +0300 [thread overview]
Message-ID: <533499CA.9030003@cogentembedded.com> (raw)
In-Reply-To: <1395952078-16266-1-git-send-email-vyasevic@redhat.com>
Hello.
On 03/27/2014 11:27 PM, Vlad Yasevich wrote:
> When the vlan filtering is enabled on the bridge, but
> the filter is not configured on the bridge device itself,
> running tcpdump on the bridge device will result in a
> an Oops with NULL pointer dereference. The reason
> is that br_pass_frame_up() will bypass the vlan
> check because promisc flag is set. It will then try
> to get the table pointer and process the packet based
> on the table. Since the table pointer is NULL, we oops.
> Catch this special condition in br_handle_vlan().
> Reported-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
> CC: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
> Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
> ---
> * Changed to use kfree_skb() instead of kfree_skb_list() to
> match the reset of bridge code.
> net/bridge/br_input.c | 11 ++++++-----
> net/bridge/br_vlan.c | 14 ++++++++++++++
> 2 files changed, 20 insertions(+), 5 deletions(-)
> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> index 28d5446..d0cca3c 100644
> --- a/net/bridge/br_input.c
> +++ b/net/bridge/br_input.c
[...]
> diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
> index 8249ca7..b153cc4 100644
> --- a/net/bridge/br_vlan.c
> +++ b/net/bridge/br_vlan.c
> @@ -144,6 +144,20 @@ struct sk_buff *br_handle_vlan(struct net_bridge *br,
> if (!br->vlan_enabled)
> goto out;
>
> + /* Vlan filter table must be configured at this point. The
> + * only exception is the bridge is set in promisc mode and the
> + * packet is destined for the bridge device. In this case
> + * pass the packet as is.
> + */
> + if (!pv) {
> + if ((br->dev->flags & IFF_PROMISC) && skb->dev == br->dev)
> + goto out;
> + else {
> + kfree_skb(skb);
> + return NULL;
> + }
All arms of the *if* statement should have {} if at least one arm as them;
see Documentation/CodingStyle.
WBR, Sergei
WARNING: multiple messages have this Message-ID (diff)
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
To: Vlad Yasevich <vyasevic@redhat.com>, netdev@vger.kernel.org
Cc: bridge@lists.linux-foundation.org
Subject: Re: [PATCH] bridge: Fix crash with vlan filtering and tcpdump
Date: Fri, 28 Mar 2014 00:36:10 +0300 [thread overview]
Message-ID: <533499CA.9030003@cogentembedded.com> (raw)
In-Reply-To: <1395952078-16266-1-git-send-email-vyasevic@redhat.com>
Hello.
On 03/27/2014 11:27 PM, Vlad Yasevich wrote:
> When the vlan filtering is enabled on the bridge, but
> the filter is not configured on the bridge device itself,
> running tcpdump on the bridge device will result in a
> an Oops with NULL pointer dereference. The reason
> is that br_pass_frame_up() will bypass the vlan
> check because promisc flag is set. It will then try
> to get the table pointer and process the packet based
> on the table. Since the table pointer is NULL, we oops.
> Catch this special condition in br_handle_vlan().
> Reported-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
> CC: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
> Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
> ---
> * Changed to use kfree_skb() instead of kfree_skb_list() to
> match the reset of bridge code.
> net/bridge/br_input.c | 11 ++++++-----
> net/bridge/br_vlan.c | 14 ++++++++++++++
> 2 files changed, 20 insertions(+), 5 deletions(-)
> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> index 28d5446..d0cca3c 100644
> --- a/net/bridge/br_input.c
> +++ b/net/bridge/br_input.c
[...]
> diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
> index 8249ca7..b153cc4 100644
> --- a/net/bridge/br_vlan.c
> +++ b/net/bridge/br_vlan.c
> @@ -144,6 +144,20 @@ struct sk_buff *br_handle_vlan(struct net_bridge *br,
> if (!br->vlan_enabled)
> goto out;
>
> + /* Vlan filter table must be configured at this point. The
> + * only exception is the bridge is set in promisc mode and the
> + * packet is destined for the bridge device. In this case
> + * pass the packet as is.
> + */
> + if (!pv) {
> + if ((br->dev->flags & IFF_PROMISC) && skb->dev == br->dev)
> + goto out;
> + else {
> + kfree_skb(skb);
> + return NULL;
> + }
All arms of the *if* statement should have {} if at least one arm as them;
see Documentation/CodingStyle.
WBR, Sergei
next prev parent reply other threads:[~2014-03-27 21:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-27 20:27 [Bridge] [PATCH] bridge: Fix crash with vlan filtering and tcpdump Vlad Yasevich
2014-03-27 20:27 ` Vlad Yasevich
2014-03-27 21:36 ` Sergei Shtylyov [this message]
2014-03-27 21:36 ` Sergei Shtylyov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533499CA.9030003@cogentembedded.com \
--to=sergei.shtylyov@cogentembedded.com \
--cc=bridge@lists.linux-foundation.org \
--cc=netdev@vger.kernel.org \
--cc=vyasevic@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.