From: arno@natisbad.org (Arnaud Ebalard)
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Miller <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Daniel Borkmann <dborkman@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Willy Tarreau <w@1wt.eu>,
netdev@vger.kernel.org
Subject: Re: [BUG] null pointer dereference in tcp_gso_segment()
Date: Wed, 22 Jan 2014 23:02:49 +0100 [thread overview]
Message-ID: <8761pb7jzq.fsf@natisbad.org> (raw)
In-Reply-To: <1390427824.27806.36.camel@edumazet-glaptop2.roam.corp.google.com> (Eric Dumazet's message of "Wed, 22 Jan 2014 13:57:04 -0800")
Hi Eric,
Eric Dumazet <eric.dumazet@gmail.com> writes:
>> Unless there is an assumption I missed somewhere in the function, the
>> problem may occur during the first round of the loop, because (unlike
>> the 'while' condition does at line 21) skb->next is not checked against
>> null at lines 17 above before it is passed to tcp_hdr() at line 18.
>>
>> To be honest, I am asking because I am not familiar w/ the code and it
>> is somewhat old so I wonder why noone got hit before. AFAICT,
>> f4c50d990dcf ([NET]: Add software TSOv4) added TSOv4 support in 2006 via
>> introduction of tcp_tso_segmen() (with the same kind of deref but
>> possibly different assumptions) which was more recently modified via
>> 28850dc7c7 (net: tcp: move GRO/GSO functions to tcp_offload) to become
>> tcp_gso_segment().
>>
>> David, can you confirm the analysis and possibly comment on the
>> conditions needed for the bug to manifest?
>
> A gso packet contains at least 2 segments.
By whom / where is it enforced?
Cheers,
a+
next prev parent reply other threads:[~2014-01-22 22:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-22 21:46 [BUG] null pointer dereference in tcp_gso_segment() Arnaud Ebalard
2014-01-22 21:57 ` Eric Dumazet
2014-01-22 22:02 ` Arnaud Ebalard [this message]
2014-01-22 22:18 ` Eric Dumazet
2014-01-22 23:56 ` Willy Tarreau
2014-01-26 0:04 ` Arnaud Ebalard
2014-01-25 23:54 ` Arnaud Ebalard
2014-01-26 1:18 ` Eric Dumazet
2014-01-27 22:14 ` Arnaud Ebalard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8761pb7jzq.fsf@natisbad.org \
--to=arno@natisbad.org \
--cc=davem@davemloft.net \
--cc=dborkman@redhat.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.