|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] xen-netfront: drop skb when skb->len > 65535
The `size' field of Xen network wired format is uint16_t, anything bigger than
65535 will cause overflow.
The punishment introduced by XSA-39 is quite harsh - DomU is disconnected when
it's discovered to be sending corrupted skbs. However, it looks like Linux
kernel will generate some bad skbs sometimes, so drop those skbs before
sending to over netback to avoid being disconnected.
Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
---
drivers/net/xen-netfront.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 5527663..284059b 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -547,6 +547,18 @@ static int xennet_start_xmit(struct sk_buff *skb, struct
net_device *dev)
unsigned int len = skb_headlen(skb);
unsigned long flags;
+ /*
+ * wired format of xen_netif_tx_request only supports skb->len
+ * < 64K, because size field in xen_netif_tx_request is
+ * uint16_t.
+ */
+ if (unlikely(skb->len > (uint16_t)(~((uint16_t)0)))) {
+ net_alert_ratelimited(
+ "xennet: skb->len = %d, too big for wired format\n",
+ skb->len);
+ goto drop;
+ }
+
slots = DIV_ROUND_UP(offset + len, PAGE_SIZE) +
xennet_count_skb_frag_slots(skb);
if (unlikely(slots > MAX_SKB_FRAGS + 1)) {
--
1.7.10.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |