|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH net v3] xen-netback: fix fragment detection in checksum setup
> -----Original Message----- > From: David Miller [mailto:davem@xxxxxxxxxxxxx] > Sent: 30 November 2013 21:14 > To: Paul Durrant > Cc: xen-devel@xxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; Wei Liu; Ian Campbell; > David Vrabel > Subject: Re: [PATCH net v3] xen-netback: fix fragment detection in checksum > setup > > From: Paul Durrant <paul.durrant@xxxxxxxxxx> > Date: Fri, 29 Nov 2013 10:52:08 +0000 > > > @@ -1166,15 +1166,27 @@ static int checksum_setup_ip(struct xenvif *vif, > struct sk_buff *skb, > > struct iphdr *iph = (void *)skb->data; > > unsigned int header_size; > > unsigned int off; > > + bool fragment; > > int err = -EPROTO; > > > > + fragment = false; > > + > > off = sizeof(struct iphdr); > > > > header_size = skb->network_header + off + MAX_IPOPTLEN; > > maybe_pull_tail(skb, header_size); > > > > + if (iph->frag_off & htons(IP_OFFSET | IP_MF)) > > + fragment = true; > > This function has a serious problem. > > maybe_pull_tail() can change skb->data, therefore this "iph" pointer > can become invalid, you're essentially dereferencing garbage if > maybe_pull_tail() actually does any work. Ok. Clearly I'm misunderstanding what __pskb_pull_tail() does then. I was under the impression that it moved skb->tail on but left skb->data alone (which is what I want to do). I will have another look. > > Secondly, do you really (even rate limited) want to span the system > log just because some ipv4 fragmented frames end up here? That > doesn't make any sense to me. Maybe bump a statistic or something > like that, but a log message triggerable by a remote entity? No way. Ok. Paul _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |