diff options
| author | Björn Töpel <bjorn.topel@intel.com> | 2018-06-04 07:57:11 -0400 |
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2018-06-04 11:21:02 -0400 |
| commit | 4e64c835254095f55044d393e628dd3e92fca304 (patch) | |
| tree | 51db5592136aab51ca7451006085044715affbe9 /net/xdp/xsk.c | |
| parent | bd3a08aaa9a383ffbbd5b788b797ae6e64eaa7a1 (diff) | |
xsk: proper fill queue descriptor validation
Previously the fill queue descriptor was not copied to kernel space
prior validating it, making it possible for userland to change the
descriptor post-kernel-validation.
Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'net/xdp/xsk.c')
| -rw-r--r-- | net/xdp/xsk.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index cce0e4f8a536..43554eb56fe6 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c | |||
| @@ -41,20 +41,19 @@ bool xsk_is_setup_for_bpf_map(struct xdp_sock *xs) | |||
| 41 | 41 | ||
| 42 | static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp) | 42 | static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp) |
| 43 | { | 43 | { |
| 44 | u32 *id, len = xdp->data_end - xdp->data; | 44 | u32 id, len = xdp->data_end - xdp->data; |
| 45 | void *buffer; | 45 | void *buffer; |
| 46 | int err = 0; | 46 | int err; |
| 47 | 47 | ||
| 48 | if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) | 48 | if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) |
| 49 | return -EINVAL; | 49 | return -EINVAL; |
| 50 | 50 | ||
| 51 | id = xskq_peek_id(xs->umem->fq); | 51 | if (!xskq_peek_id(xs->umem->fq, &id)) |
| 52 | if (!id) | ||
| 53 | return -ENOSPC; | 52 | return -ENOSPC; |
| 54 | 53 | ||
| 55 | buffer = xdp_umem_get_data_with_headroom(xs->umem, *id); | 54 | buffer = xdp_umem_get_data_with_headroom(xs->umem, id); |
| 56 | memcpy(buffer, xdp->data, len); | 55 | memcpy(buffer, xdp->data, len); |
| 57 | err = xskq_produce_batch_desc(xs->rx, *id, len, | 56 | err = xskq_produce_batch_desc(xs->rx, id, len, |
| 58 | xs->umem->frame_headroom); | 57 | xs->umem->frame_headroom); |
| 59 | if (!err) | 58 | if (!err) |
| 60 | xskq_discard_id(xs->umem->fq); | 59 | xskq_discard_id(xs->umem->fq); |