[patch] bridge netfilter bug

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch] bridge netfilter bug
@ 2006-08-18  8:23 Gerd Hoffmann
  0 siblings, 0 replies; only message in thread
From: Gerd Hoffmann @ 2006-08-18  8:23 UTC (permalink / raw)
  To: netdev; +Cc: Xen devel list, Jan Beulich

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

  Hi,

The bridging code copies 16 bytes unconditionally, where as the ethernet
header is 14 bytes only.  In most cases it works ok nevertheless due to
NET_IP_ALIGN, sometimes it doesn't though.  Fix is attached below.

please apply,

  Gerd

-- 
Gerd Hoffmann <kraxel@suse.de>
http://www.suse.de/~kraxel/julika-dora.jpeg

[-- Attachment #2: nf_bridge-header-size --]
[-- Type: text/plain, Size: 1441 bytes --]

Subject: nf_bridge: ethernet header is 14 not 16 bytes
From: jbeulich@novell.com
Acked-by: kraxel@suse.de
References: 150410

The bridge netfilter code saves two more bytes that it should.
In most cases it doesn't hurt because many drivers use NET_IP_ALIGN
to make the IP header aligned, so there are two extra bytes head room
available.

Some drivers don't do that though (sky2 for example), so copying
accesses data outside the skbuff data allocation.  On xen kernels
this can kill the machine with a page fault due to the way how
skbuffs are allocated and the memory is managed.

---
 include/linux/netfilter_bridge.h |    2 +-
 net/bridge/br_netfilter.c        |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.17.orig/include/linux/netfilter_bridge.h
+++ linux-2.6.17/include/linux/netfilter_bridge.h
@@ -57,7 +57,7 @@ void nf_bridge_maybe_copy_header(struct 
 			memcpy(skb->data - 18, skb->nf_bridge->data, 18);
 			skb_push(skb, 4);
 		} else
-			memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+			memcpy(skb->data - 14, skb->nf_bridge->data, 14);
 	}
 }
 
--- linux-2.6.17.orig/net/bridge/br_netfilter.c
+++ linux-2.6.17/net/bridge/br_netfilter.c
@@ -124,7 +124,7 @@ static inline struct nf_bridge_info *nf_
 
 static inline void nf_bridge_save_header(struct sk_buff *skb)
 {
-        int header_size = 16;
+        int header_size = 14;
 
 	if (skb->protocol == htons(ETH_P_8021Q))
 		header_size = 18;

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2006-08-18  8:23 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-18  8:23 [patch] bridge netfilter bug Gerd Hoffmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).