[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3

To: Eric Dumazet <eric.dumazet@xxxxxxxxx>
From: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
Date: Thu, 26 Aug 2010 09:55:41 +0100
Cc: Jeremy Fitzhardinge <jeremy@xxxxxxxx>, "Xen-devel@xxxxxxxxxxxxxxxxxxx" <Xen-devel@xxxxxxxxxxxxxxxxxxx>, "netdev@xxxxxxxxxxxxxxx" <netdev@xxxxxxxxxxxxxxx>, "bugzilla-daemon@xxxxxxxxxxxxxxxxxxx" <bugzilla-daemon@xxxxxxxxxxxxxxxxxxx>, Chapman <jchapman@xxxxxxxxxxx>, Chris Wright <chrisw@xxxxxxxxxxxx>, "bugme-daemon@xxxxxxxxxxxxxxxxxxx" <bugme-daemon@xxxxxxxxxxxxxxxxxxx>, James, "heil@xxxxxxxxxxxxxxxxxxxxxx" <heil@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, David Miller <davem@xxxxxxxxxxxxx>
Delivery-date: Thu, 26 Aug 2010 01:56:26 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Thu, 2010-08-26 at 09:34 +0100, Eric Dumazet wrote:
> Le jeudi 26 aoÃt 2010 Ã 09:14 +0100, Ian Campbell a Ãcrit :
> > On Thu, 2010-08-26 at 09:03 +0100, Eric Dumazet wrote:
> > > Here is the patch, could you test it please ?
> > > 
> > > Thanks !
> > > 
> > > [PATCH] l2tp: test for malicious frames in l2tp_eth_dev_recv()
> > > 
> > > close https://bugzilla.kernel.org/show_bug.cgi?id=16529
> > > 
> > > Before calling dev_forward_skb(), we should make sure skb contains at
> > > least an ethernet header, even if length included in upper layer said
> > > so.
> > 
> > Does this imply that there is some problem with xen-netfront setting
> > skb->len or skb->data_len or something incorrectly? It's not clear where
> > data_len has come from in this context.
> 
> data_len is a 16bit field provided in a prior encapsulation header,
> provided by user (untrusted source)
> 
> Some buggy or malicious software sent an invalid frame,
> 
> 
> < encapsulation [len=1000] >  < 'runt' eth frame (len<14) > 
> 
> Another fix would be to change l2tp_recv_dequeue_skb(), and check
> 
> L2TP_SKB_CB(skb)->length against skb->len, before calling 
> 
> (*session->recv_skb)(session, skb, length);
> 
> 
> I prefer the one liner patch I sent you, as a minimum fix.

Thanks, I just wanted to be sure we weren't papering over a potential
issue in xen-netfront.

Ian.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

References:
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Jeremy Fitzhardinge
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Ian Campbell
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Eric Dumazet
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Ian Campbell
- [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
  - From: Eric Dumazet

Prev by Date: RE: [Xen-devel] [PATCH] xl: obey uuid config option
Next by Date: RE: [Xen-devel] Xen-unstable panic: FATAL PAGE FAULT
Previous by thread: [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
Next by thread: [Xen-devel] Re: [Bugme-new] [Bug 16529] New: xennet driver crashes when using with pseudowire aka l2tpv3
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.