diff options
author | Wei Liu <wei.liu2@citrix.com> | 2013-04-21 22:20:43 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-04-22 15:37:01 -0400 |
commit | 03393fd5cc2b6cdeec32b704ecba64dbb0feae3c (patch) | |
tree | e5e6484266da2624a56aa8fca0828e16a19037bb | |
parent | 2810e5b9a7731ca5fce22bfbe12c96e16ac44b6f (diff) |
xen-netback: don't disconnect frontend when seeing oversize packet
Some frontend drivers are sending packets > 64 KiB in length. This length
overflows the length field in the first slot making the following slots have
an invalid length.
Turn this error back into a non-fatal error by dropping the packet. To avoid
having the following slots having fatal errors, consume all slots in the
packet.
This does not reopen the security hole in XSA-39 as if the packet as an
invalid number of slots it will still hit fatal error case.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/xen-netback/netback.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index d9292c59789b..a2865f17c667 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c | |||
@@ -975,12 +975,22 @@ static int netbk_count_requests(struct xenvif *vif, | |||
975 | 975 | ||
976 | memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots), | 976 | memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots), |
977 | sizeof(*txp)); | 977 | sizeof(*txp)); |
978 | if (txp->size > first->size) { | 978 | |
979 | netdev_err(vif->dev, | 979 | /* If the guest submitted a frame >= 64 KiB then |
980 | "Invalid tx request, slot size %u > remaining size %u\n", | 980 | * first->size overflowed and following slots will |
981 | txp->size, first->size); | 981 | * appear to be larger than the frame. |
982 | netbk_fatal_tx_err(vif); | 982 | * |
983 | return -EIO; | 983 | * This cannot be fatal error as there are buggy |
984 | * frontends that do this. | ||
985 | * | ||
986 | * Consume all slots and drop the packet. | ||
987 | */ | ||
988 | if (!drop_err && txp->size > first->size) { | ||
989 | if (net_ratelimit()) | ||
990 | netdev_dbg(vif->dev, | ||
991 | "Invalid tx request, slot size %u > remaining size %u\n", | ||
992 | txp->size, first->size); | ||
993 | drop_err = -EIO; | ||
984 | } | 994 | } |
985 | 995 | ||
986 | first->size -= txp->size; | 996 | first->size -= txp->size; |