[PATCH] ethernet: add sanity check before memory dereferencing

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ethernet: add sanity check before memory dereferencing
@ 2010-05-04  3:33 Changli Gao
  2010-05-04  6:11 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Changli Gao @ 2010-05-04  3:33 UTC (permalink / raw)
  To: David S. Miller; +Cc: Eric Dumazet, netdev, Changli Gao

add sanity check before memory dereferencing

Some callers of eth_type_trans() only can assure the length of the packets
passed to it is not less than ETH_HLEN. We'd better check the packets length
before dereferencing skb->data.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----
 net/ethernet/eth.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
index 61ec032..215c839 100644
--- a/net/ethernet/eth.c
+++ b/net/ethernet/eth.c
@@ -158,7 +158,6 @@ EXPORT_SYMBOL(eth_rebuild_header);
 __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
 {
 	struct ethhdr *eth;
-	unsigned char *rawp;
 
 	skb->dev = dev;
 	skb_reset_mac_header(skb);
@@ -199,15 +198,13 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
 	if (ntohs(eth->h_proto) >= 1536)
 		return eth->h_proto;
 
-	rawp = skb->data;
-
 	/*
 	 *      This is a magic hack to spot IPX packets. Older Novell breaks
 	 *      the protocol design and runs IPX over 802.3 without an 802.2 LLC
 	 *      layer. We look for FFFF which isn't a used 802.2 SSAP/DSAP. This
 	 *      won't work for fault tolerant netware but does for the rest.
 	 */
-	if (*(unsigned short *)rawp == 0xFFFF)
+	if (skb->len >= 2 && *(unsigned short *)(skb->data) == 0xFFFF)
 		return htons(ETH_P_802_3);
 
 	/*

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ethernet: add sanity check before memory dereferencing
  2010-05-04  3:33 [PATCH] ethernet: add sanity check before memory dereferencing Changli Gao
@ 2010-05-04  6:11 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2010-05-04  6:11 UTC (permalink / raw)
  To: xiaosuo; +Cc: eric.dumazet, netdev

From: Changli Gao <xiaosuo@gmail.com>
Date: Tue,  4 May 2010 11:33:48 +0800

> add sanity check before memory dereferencing
> 
> Some callers of eth_type_trans() only can assure the length of the packets
> passed to it is not less than ETH_HLEN. We'd better check the packets length
> before dereferencing skb->data.
> 
> Signed-off-by: Changli Gao <xiaosuo@gmail.com>

We can deference skb->data for at least 16 bytes or so past the end
of the valid packet data area however we want.

It might give garbage values, but it will not cause a fault or any
kind.

We want to remove checks here, not add new ones Changli.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-05-04  6:11 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-04  3:33 [PATCH] ethernet: add sanity check before memory dereferencing Changli Gao
2010-05-04  6:11 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).