[PATCH] ipx: header length validation needed

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ipx: header length validation needed
@ 2006-08-07 20:46 Stephen Hemminger
  2006-08-07 23:24 ` David Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Hemminger @ 2006-08-07 20:46 UTC (permalink / raw)
  To: Arnaldo Carvalho de Melo; +Cc: netdev, stable

IPX is not checking for non-linear (and short packets) in it's receive routine.
This is serious because it may mean it ends up reading past end of skb.

This maybe related to this bug, because sky2 will copy small packets into small
skb's.

    http://bugzilla.kernel.org/show_bug.cgi?id=6693

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>


--- a/net/ipx/af_ipx.c	2006-07-07 13:02:31.000000000 -0700
+++ b/net/ipx/af_ipx.c	2006-08-07 13:18:08.000000000 -0700
@@ -1642,6 +1642,9 @@
 	if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
 		goto out;
 
+	if (!pskb_may_pull(skb, sizeof(struct ipxhdr)))
+		goto drop;
+
 	ipx		= ipx_hdr(skb);
 	ipx_pktsize	= ntohs(ipx->ipx_pktsize);
 	

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ipx: header length validation needed
  2006-08-07 20:46 [PATCH] ipx: header length validation needed Stephen Hemminger
@ 2006-08-07 23:24 ` David Miller
  2006-08-07 23:36   ` Stephen Hemminger
  0 siblings, 1 reply; 5+ messages in thread
From: David Miller @ 2006-08-07 23:24 UTC (permalink / raw)
  To: shemminger; +Cc: acme, netdev, stable

From: Stephen Hemminger <shemminger@osdl.org>
Date: Mon, 7 Aug 2006 13:46:36 -0700

> IPX is not checking for non-linear (and short packets) in it's
> receive routine.  This is serious because it may mean it ends up
> reading past end of skb.

This takes care of ipx_rcv() but the rest of the IPX protocol
handling still has the problem, so you'll need to meticuliously
follow the whole receive path and fix up all the spots that
parse subsequent parts of the IPX packet to fix this properly.

For example, take a look at ipxitf_pprop().

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ipx: header length validation needed
  2006-08-07 23:24 ` David Miller
@ 2006-08-07 23:36   ` Stephen Hemminger
  2006-08-08  3:10     ` David Miller
  2006-08-10  6:50     ` [stable] " Greg KH
  0 siblings, 2 replies; 5+ messages in thread
From: Stephen Hemminger @ 2006-08-07 23:36 UTC (permalink / raw)
  To: David Miller; +Cc: acme, netdev, stable

This patch will linearize and check there is enough data.
It handles the pprop case as well as avoiding a whole audit of
the routing code.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>

--- a/net/ipx/af_ipx.c	2006-08-07 13:45:59.000000000 -0700
+++ b/net/ipx/af_ipx.c	2006-08-07 16:34:00.000000000 -0700
@@ -1649,7 +1649,8 @@
 	ipx_pktsize	= ntohs(ipx->ipx_pktsize);
 	
 	/* Too small or invalid header? */
-	if (ipx_pktsize < sizeof(struct ipxhdr) || ipx_pktsize > skb->len)
+	if (ipx_pktsize < sizeof(struct ipxhdr)
+	   || !pskb_may_pull(skb, ipx_pktsize))
 		goto drop;
                         
 	if (ipx->ipx_checksum != IPX_NO_CHECKSUM &&

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ipx: header length validation needed
  2006-08-07 23:36   ` Stephen Hemminger
@ 2006-08-08  3:10     ` David Miller
  2006-08-10  6:50     ` [stable] " Greg KH
  1 sibling, 0 replies; 5+ messages in thread
From: David Miller @ 2006-08-08  3:10 UTC (permalink / raw)
  To: shemminger; +Cc: acme, netdev, stable

From: Stephen Hemminger <shemminger@osdl.org>
Date: Mon, 7 Aug 2006 16:36:02 -0700

> This patch will linearize and check there is enough data.
> It handles the pprop case as well as avoiding a whole audit of
> the routing code.
> 
> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>

Applied, with a minor coding style tidy-up.

Thanks a lot Stephen.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [stable] [PATCH] ipx: header length validation needed
  2006-08-07 23:36   ` Stephen Hemminger
  2006-08-08  3:10     ` David Miller
@ 2006-08-10  6:50     ` Greg KH
  1 sibling, 0 replies; 5+ messages in thread
From: Greg KH @ 2006-08-10  6:50 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: David Miller, netdev, stable, acme

On Mon, Aug 07, 2006 at 04:36:02PM -0700, Stephen Hemminger wrote:
> This patch will linearize and check there is enough data.
> It handles the pprop case as well as avoiding a whole audit of
> the routing code.
> 
> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>

queued to -stable, thanks.

greg k-h


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2006-08-10  6:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-07 20:46 [PATCH] ipx: header length validation needed Stephen Hemminger
2006-08-07 23:24 ` David Miller
2006-08-07 23:36   ` Stephen Hemminger
2006-08-08  3:10     ` David Miller
2006-08-10  6:50     ` [stable] " Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).