gro: Fix use after free in tcp_gro

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* gro: Fix use after free in tcp_gro_receive
@ 2009-04-17  9:25 Herbert Xu
  2009-04-17  9:34 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Herbert Xu @ 2009-04-17  9:25 UTC (permalink / raw)
  To: David S. Miller, netdev, Mark Wagner

Hi:

gro: Fix use after free in tcp_gro_receive

After calling skb_gro_receive skb->len can no longer be relied
on since if the skb was merged using frags, then its pages will
have been removed and the length reduced.

This caused tcp_gro_receive to prematurely end merging which
resulted in suboptimal performance with ixgbe.

The fix is to store skb->len on the stack.

Reported-by: Mark Wagner <mwagner@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index fafbec8..1d7f49c 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2511,6 +2511,7 @@ struct sk_buff **tcp_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 	struct sk_buff *p;
 	struct tcphdr *th;
 	struct tcphdr *th2;
+	unsigned int len;
 	unsigned int thlen;
 	unsigned int flags;
 	unsigned int mss = 1;
@@ -2531,6 +2532,7 @@ struct sk_buff **tcp_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 
 	skb_gro_pull(skb, thlen);
 
+	len = skb_gro_len(skb);
 	flags = tcp_flag_word(th);
 
 	for (; (p = *head); head = &p->next) {
@@ -2561,7 +2563,7 @@ found:
 
 	mss = skb_shinfo(p)->gso_size;
 
-	flush |= (skb_gro_len(skb) > mss) | !skb_gro_len(skb);
+	flush |= (len > mss) | !len;
 	flush |= (ntohl(th2->seq) + skb_gro_len(p)) ^ ntohl(th->seq);
 
 	if (flush || skb_gro_receive(head, skb)) {
@@ -2574,7 +2576,7 @@ found:
 	tcp_flag_word(th2) |= flags & (TCP_FLAG_FIN | TCP_FLAG_PSH);
 
 out_check_final:
-	flush = skb_gro_len(skb) < mss;
+	flush = len < mss;
 	flush |= flags & (TCP_FLAG_URG | TCP_FLAG_PSH | TCP_FLAG_RST |
 			  TCP_FLAG_SYN | TCP_FLAG_FIN);

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: gro: Fix use after free in tcp_gro_receive
  2009-04-17  9:25 gro: Fix use after free in tcp_gro_receive Herbert Xu
@ 2009-04-17  9:34 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2009-04-17  9:34 UTC (permalink / raw)
  To: herbert; +Cc: netdev, mwagner

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Fri, 17 Apr 2009 17:25:53 +0800

> gro: Fix use after free in tcp_gro_receive
> 
> After calling skb_gro_receive skb->len can no longer be relied
> on since if the skb was merged using frags, then its pages will
> have been removed and the length reduced.
> 
> This caused tcp_gro_receive to prematurely end merging which
> resulted in suboptimal performance with ixgbe.
> 
> The fix is to store skb->len on the stack.
> 
> Reported-by: Mark Wagner <mwagner@redhat.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied, thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2009-04-17  9:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-17  9:25 gro: Fix use after free in tcp_gro_receive Herbert Xu
2009-04-17  9:34 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).