From: shemminger@osdl.org
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Subject: [PATCH 1/4] bridge-netfilter: memory corruption fix
Date: Tue, 22 Aug 2006 17:10:51 -0700 [thread overview]
Message-ID: <20060823001230.727305000@localhost.localdomain> (raw)
In-Reply-To: 20060823001050.363374000@localhost.localdomain
[-- Attachment #1: br-nf-over.patch --]
[-- Type: text/plain, Size: 1587 bytes --]
The bridge-netfilter code will overwrite memory if there is not headroom
in the skb to save the header. This first showed up when using Xen with
sky2 driver that doesn't allocate the extra space.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
--- br-nf.orig/include/linux/netfilter_bridge.h 2006-08-22 16:43:41.000000000 -0700
+++ br-nf/include/linux/netfilter_bridge.h 2006-08-22 16:45:05.000000000 -0700
@@ -48,15 +48,25 @@
/* Only used in br_forward.c */
static inline
-void nf_bridge_maybe_copy_header(struct sk_buff *skb)
+int nf_bridge_maybe_copy_header(struct sk_buff *skb)
{
+ int err;
+
if (skb->nf_bridge) {
if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+ err = skb_cow(skb, 18);
+ if (err)
+ return err;
memcpy(skb->data - 18, skb->nf_bridge->data, 18);
skb_push(skb, 4);
- } else
+ } else {
+ err = skb_cow(skb, 16);
+ if (err)
+ return err;
memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+ }
}
+ return 0;
}
/* This is called by the IP fragmenting code and it ensures there is
--- br-nf.orig/net/bridge/br_forward.c 2006-08-22 16:43:41.000000000 -0700
+++ br-nf/net/bridge/br_forward.c 2006-08-22 16:44:04.000000000 -0700
@@ -40,11 +40,15 @@
else {
#ifdef CONFIG_BRIDGE_NETFILTER
/* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
- nf_bridge_maybe_copy_header(skb);
+ if (nf_bridge_maybe_copy_header(skb))
+ kfree_skb(skb);
+ else
#endif
- skb_push(skb, ETH_HLEN);
+ {
+ skb_push(skb, ETH_HLEN);
- dev_queue_xmit(skb);
+ dev_queue_xmit(skb);
+ }
}
return 0;
--
next prev parent reply other threads:[~2006-08-23 0:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-23 0:10 [PATCH 0/4] bridge-netfilter fixes shemminger
2006-08-23 0:10 ` shemminger [this message]
2006-08-23 0:10 ` [PATCH 2/4] bridge-netfilter: code rearrangement for clarity shemminger
2006-08-23 0:10 ` [PATCH 3/4] bridge-netfilter: simplify nf_bridge_pad shemminger
2006-08-23 0:10 ` [PATCH 4/4] bridge-netfilter: debug message fixes shemminger
2006-08-27 3:27 ` [PATCH 0/4] bridge-netfilter fixes David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060823001230.727305000@localhost.localdomain \
--to=shemminger@osdl.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox