[PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid
@ 2010-05-03 20:19 Simon Arlott
  2010-05-03 20:20 ` [PATCH v2 2/2] ppp_generic: handle non-linear skbs when passing them to pppd Simon Arlott
  2010-05-03 20:27 ` [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Simon Arlott @ 2010-05-03 20:19 UTC (permalink / raw)
  To: David Miller; +Cc: netdev, paulus, linux-ppp

In ppp_input(), PPP_PROTO(skb) may refer to invalid data in the skb.

If this happens and (proto >= 0xc000 || proto == PPP_CCPFRAG) then
the packet is passed directly to pppd.

This occurs frequently when using PPPoE with an interface MTU
greater than 1500 because the skb is more likely to be non-linear.

The next 2 bytes need to be pulled in ppp_input(). The pull of 2
bytes in ppp_receive_frame() has been removed as it is no longer
required.

Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
---
 drivers/net/ppp_generic.c |   29 ++++++++++++++++++-----------
 1 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c
index 6e281bc..75e8903 100644
--- a/drivers/net/ppp_generic.c
+++ b/drivers/net/ppp_generic.c
@@ -1567,13 +1567,22 @@ ppp_input(struct ppp_channel *chan, struct sk_buff *skb)
 	struct channel *pch = chan->ppp;
 	int proto;
 
-	if (!pch || skb->len == 0) {
+	if (!pch) {
 		kfree_skb(skb);
 		return;
 	}
 
-	proto = PPP_PROTO(skb);
 	read_lock_bh(&pch->upl);
+	if (!pskb_may_pull(skb, 2)) {
+		kfree_skb(skb);
+		if (pch->ppp) {
+			++pch->ppp->dev->stats.rx_length_errors;
+			ppp_receive_error(pch->ppp);
+		}
+		goto done;
+	}
+
+	proto = PPP_PROTO(skb);
 	if (!pch->ppp || proto >= 0xc000 || proto == PPP_CCPFRAG) {
 		/* put it on the channel queue */
 		skb_queue_tail(&pch->file.rq, skb);
@@ -1585,6 +1594,8 @@ ppp_input(struct ppp_channel *chan, struct sk_buff *skb)
 	} else {
 		ppp_do_recv(pch->ppp, skb, pch);
 	}
+
+done:
 	read_unlock_bh(&pch->upl);
 }
 
@@ -1617,7 +1628,8 @@ ppp_input_error(struct ppp_channel *chan, int code)
 static void
 ppp_receive_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
 {
-	if (pskb_may_pull(skb, 2)) {
+	/* note: a 0-length skb is used as an error indication */
+	if (skb->len > 0) {
 #ifdef CONFIG_PPP_MULTILINK
 		/* XXX do channel-level decompression here */
 		if (PPP_PROTO(skb) == PPP_MP)
@@ -1625,15 +1637,10 @@ ppp_receive_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
 		else
 #endif /* CONFIG_PPP_MULTILINK */
 			ppp_receive_nonmp_frame(ppp, skb);
-		return;
+	} else {
+		kfree_skb(skb);
+		ppp_receive_error(ppp);
 	}
-
-	if (skb->len > 0)
-		/* note: a 0-length skb is used as an error indication */
-		++ppp->dev->stats.rx_length_errors;
-
-	kfree_skb(skb);
-	ppp_receive_error(ppp);
 }
 
 static void
-- 
1.7.0.4

-- 
Simon Arlott

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH v2 2/2] ppp_generic: handle non-linear skbs when passing them to pppd
  2010-05-03 20:19 [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid Simon Arlott
@ 2010-05-03 20:20 ` Simon Arlott
  2010-05-03 20:27   ` David Miller
  2010-05-03 20:27 ` [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid David Miller
  1 sibling, 1 reply; 4+ messages in thread
From: Simon Arlott @ 2010-05-03 20:20 UTC (permalink / raw)
  To: David Miller; +Cc: netdev, paulus, linux-ppp

Frequently when using PPPoE with an interface MTU greater than 1500,
the skb is likely to be non-linear. If the skb needs to be passed to
pppd then the skb data must be read correctly.

The previous commit fixes an issue with accidentally sending skbs
to pppd based on an invalid read of the protocol type. When that
error occurred pppd was reading invalid skb data too.

Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
---
 drivers/net/ppp_generic.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c
index 75e8903..8518a2e 100644
--- a/drivers/net/ppp_generic.c
+++ b/drivers/net/ppp_generic.c
@@ -405,6 +405,7 @@ static ssize_t ppp_read(struct file *file, char __user *buf,
 	DECLARE_WAITQUEUE(wait, current);
 	ssize_t ret;
 	struct sk_buff *skb = NULL;
+	struct iovec iov;
 
 	ret = count;
 
@@ -448,7 +449,9 @@ static ssize_t ppp_read(struct file *file, char __user *buf,
 	if (skb->len > count)
 		goto outf;
 	ret = -EFAULT;
-	if (copy_to_user(buf, skb->data, skb->len))
+	iov.iov_base = buf;
+	iov.iov_len = count;
+	if (skb_copy_datagram_iovec(skb, 0, &iov, skb->len))
 		goto outf;
 	ret = skb->len;
 
-- 
1.7.0.4

-- 
Simon Arlott

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2 2/2] ppp_generic: handle non-linear skbs when passing them to pppd
  2010-05-03 20:20 ` [PATCH v2 2/2] ppp_generic: handle non-linear skbs when passing them to pppd Simon Arlott
@ 2010-05-03 20:27   ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2010-05-03 20:27 UTC (permalink / raw)
  To: simon; +Cc: netdev, paulus, linux-ppp

From: Simon Arlott <simon@fire.lp0.eu>
Date: Mon, 03 May 2010 21:20:27 +0100

> Frequently when using PPPoE with an interface MTU greater than 1500,
> the skb is likely to be non-linear. If the skb needs to be passed to
> pppd then the skb data must be read correctly.
> 
> The previous commit fixes an issue with accidentally sending skbs
> to pppd based on an invalid read of the protocol type. When that
> error occurred pppd was reading invalid skb data too.
> 
> Signed-off-by: Simon Arlott <simon@fire.lp0.eu>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid
  2010-05-03 20:19 [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid Simon Arlott
  2010-05-03 20:20 ` [PATCH v2 2/2] ppp_generic: handle non-linear skbs when passing them to pppd Simon Arlott
@ 2010-05-03 20:27 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2010-05-03 20:27 UTC (permalink / raw)
  To: simon; +Cc: netdev, paulus, linux-ppp

From: Simon Arlott <simon@fire.lp0.eu>
Date: Mon, 03 May 2010 21:19:33 +0100

> In ppp_input(), PPP_PROTO(skb) may refer to invalid data in the skb.
> 
> If this happens and (proto >= 0xc000 || proto == PPP_CCPFRAG) then
> the packet is passed directly to pppd.
> 
> This occurs frequently when using PPPoE with an interface MTU
> greater than 1500 because the skb is more likely to be non-linear.
> 
> The next 2 bytes need to be pulled in ppp_input(). The pull of 2
> bytes in ppp_receive_frame() has been removed as it is no longer
> required.
> 
> Signed-off-by: Simon Arlott <simon@fire.lp0.eu>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-05-03 20:27 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-03 20:19 [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid Simon Arlott
2010-05-03 20:20 ` [PATCH v2 2/2] ppp_generic: handle non-linear skbs when passing them to pppd Simon Arlott
2010-05-03 20:27   ` David Miller
2010-05-03 20:27 ` [PATCH v2 1/2] ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).