[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH net v3] xen-netback: fix fragment detection in checksum setup

On Mon, 2013-12-02 at 09:45 +0000, Paul Durrant wrote:
> > -----Original Message-----
> > From: David Miller [mailto:davem@xxxxxxxxxxxxx]
> > Sent: 30 November 2013 21:14
> > To: Paul Durrant
> > Cc: xen-devel@xxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; Wei Liu; Ian Campbell;
> > David Vrabel
> > Subject: Re: [PATCH net v3] xen-netback: fix fragment detection in checksum
> > setup
> > 
> > From: Paul Durrant <paul.durrant@xxxxxxxxxx>
> > Date: Fri, 29 Nov 2013 10:52:08 +0000
> > 
> > > @@ -1166,15 +1166,27 @@ static int checksum_setup_ip(struct xenvif *vif,
> > struct sk_buff *skb,
> > >   struct iphdr *iph = (void *)skb->data;
> > >   unsigned int header_size;
> > >   unsigned int off;
> > > + bool fragment;
> > >   int err = -EPROTO;
> > >
> > > + fragment = false;
> > > +
> > >   off = sizeof(struct iphdr);
> > >
> > >   header_size = skb->network_header + off + MAX_IPOPTLEN;
> > >   maybe_pull_tail(skb, header_size);
> > >
> > > + if (iph->frag_off & htons(IP_OFFSET | IP_MF))
> > > +         fragment = true;
> > 
> > This function has a serious problem.
> > 
> > maybe_pull_tail() can change skb->data, therefore this "iph" pointer
> > can become invalid, you're essentially dereferencing garbage if
> > maybe_pull_tail() actually does any work.
> 
> Ok. Clearly I'm misunderstanding what __pskb_pull_tail() does then. I
> was under the impression that it moved skb->tail on but left skb->data
> alone (which is what I want to do). I will have another look.
[...]

A pull does not change the offset of skb->data but it may need to
expand, i.e. reallocate, the skb head area.  The kernel-doc states
clearly that this can happen.

Ben.

-- 
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.