From: Daniel Borkmann <daniel@iogearbox.net>
To: Shmulik Ladkani <shmulik.ladkani@gmail.com>,
pravin shelar <pshelar@ovn.org>
Cc: Jiri Pirko <jiri@mellanox.com>,
"David S . Miller" <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [PATCH] net: skbuff: Fix length validation in skb_vlan_pop()
Date: Mon, 19 Sep 2016 14:22:57 +0200 [thread overview]
Message-ID: <57DFD8A1.1090103@iogearbox.net> (raw)
In-Reply-To: <20160919091538.56defd2b@pixies>
On 09/19/2016 08:15 AM, Shmulik Ladkani wrote:
> On Sun, 18 Sep 2016 13:26:30 -0700, pshelar@ovn.org wrote:
>> On Sun, Sep 18, 2016 at 3:09 AM, Shmulik Ladkani
>> <shmulik.ladkani@gmail.com> wrote:
>>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
>>> index 1e329d4112..cc2c004838 100644
>>> --- a/net/core/skbuff.c
>>> +++ b/net/core/skbuff.c
>>> @@ -4537,7 +4537,7 @@ int skb_vlan_pop(struct sk_buff *skb)
>>> } else {
>>> if (unlikely((skb->protocol != htons(ETH_P_8021Q) &&
>>> skb->protocol != htons(ETH_P_8021AD)) ||
>>> - skb->len < VLAN_ETH_HLEN))
>>> + skb->mac_len < VLAN_ETH_HLEN))
>>
>> There is already check in __skb_vlan_pop() to validate skb for a vlan
>> header. So it is safe to drop this check entirely.
>
> Seems validation in '__skb_vlan_pop' has slightly different semantics:
>
> unsigned int offset = skb->data - skb_mac_header(skb);
>
> __skb_push(skb, offset);
> err = skb_ensure_writable(skb, VLAN_ETH_HLEN);
>
> this pushes 'data' back to mac_header, then makes sure there's sufficient
> place in skb to _store_ VLAN_ETH_HLEN bytes (by pulling into linear part
> if needed, or erroring if skb is too small).
Yes, but this skb_ensure_writable() is needed for doing the memmove anyway.
> There's no guarantee the original mac header was sized VLAN_ETH_HLEN.
I'm wondering, what happens when you'd call this on tx path, when you'd
change that to suggested skb->mac_len? Isn't that 0 in such case, thus
such setups could fail then?
next prev parent reply other threads:[~2016-09-19 12:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-18 10:09 [PATCH] net: skbuff: Fix length validation in skb_vlan_pop() Shmulik Ladkani
2016-09-18 20:26 ` pravin shelar
2016-09-19 6:15 ` Shmulik Ladkani
2016-09-19 12:22 ` Daniel Borkmann [this message]
2016-09-19 13:05 ` Shmulik Ladkani
2016-09-19 15:20 ` Shmulik Ladkani
2016-09-19 20:04 ` Shmulik Ladkani
2016-09-19 20:46 ` pravin shelar
2016-09-20 4:36 ` Shmulik Ladkani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57DFD8A1.1090103@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=pshelar@ovn.org \
--cc=shmulik.ladkani@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.