From: Sven Eckelmann <sven@narfation.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Cc: Marek Lindner <mareklindner@neomailbox.ch>
Subject: Re: [B.A.T.M.A.N.] [PATCH] batman-adv: Check skb size before using encapsulated ETH+VLAN header
Date: Sun, 28 Feb 2016 07:36:40 +0100 [thread overview]
Message-ID: <2655547.V2kIYkZTyH@sven-edge> (raw)
In-Reply-To: <10633463.PgZ4eD0ZeI@voltaire>
[-- Attachment #1: Type: text/plain, Size: 2016 bytes --]
On Sunday 28 February 2016 08:49:02 Marek Lindner wrote:
> On Friday, February 26, 2016 17:56:13 Sven Eckelmann wrote:
> > --- a/net/batman-adv/soft-interface.c
> > +++ b/net/batman-adv/soft-interface.c
> > @@ -408,11 +408,17 @@ void batadv_interface_rx(struct net_device
> > *soft_iface, */
> >
> > nf_reset(skb);
> >
> > + if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
> > + goto dropped;
> > +
> >
> > vid = batadv_get_vid(skb, 0);
>
> batadv_get_vid() also calls pskb_may_pull() and checks for VLAN_ETH_HLEN
> length. Isn't that sufficient ?
No, because it doesn't signal the result of pskb_may_pull back to this
function. At least not in a way that the _rx function drops the packet on an
error.
> On a related note - a few lines before your check you'll find:
>
> /* check if enough space is available for pulling, and pull */
> if (!pskb_may_pull(skb, hdr_size))
This only includes the the unicast/unicast_4addr/bcast batman-adv header. It
doesn't check the size of the encapsulated data (this also means *not* the
encapsulated ethernet header)
>
> In its current form that check is useless because
> batadv_recv_unicast_packet() already calls batadv_check_unicast_packet()
> which does the same
> pskb_may_pull(skb, hdr_size). Am I overlooking something ?
Looks like it also only checks the size of the batman-adv header and the
content of the outer (not the encapsulated) ethernet header.
>
> > switch (ntohs(ethhdr->h_proto)) {
> >
> > case ETH_P_8021Q:
> > + if (!pskb_may_pull(skb, VLAN_ETH_HLEN))
> > + goto dropped;
>
> Shouldn't this memory access be covered by the earlier check inside
> batadv_get_vid() ?
Nope, no drop of the packet when the may_pull in batadv_get_vid fails.
>
> > /* skb->dev & skb->pkt_type are set here */
> >
> > - if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
> > - goto dropped;
>
> Agreed that this seems unnecessary.
At least it is too late :)
Please check my statements twice. Maybe I've overlooked something.
Kind regards,
Sven
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-02-28 6:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-26 16:56 [B.A.T.M.A.N.] [PATCH] batman-adv: Check skb size before using encapsulated ETH+VLAN header Sven Eckelmann
2016-02-28 0:49 ` Marek Lindner
2016-02-28 6:36 ` Sven Eckelmann [this message]
2016-02-28 9:02 ` Antonio Quartulli
2016-02-28 9:20 ` Sven Eckelmann
2016-02-28 9:42 ` Antonio Quartulli
2016-03-20 9:57 ` Marek Lindner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2655547.V2kIYkZTyH@sven-edge \
--to=sven@narfation.org \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=mareklindner@neomailbox.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox