xen-netback: don't disconnect frontend when seeing oversize packet

Some frontend drivers are sending packets > 64 KiB in length. This length overflows the length field in the first slot making the following slots have an invalid length. Turn this error back into a non-fatal error by dropping the packet. To avoid having the following slots having fatal errors, consume all slots in the packet. This does not reopen the security hole in XSA-39 as if the packet as an invalid number of slots it will still hit fatal error case. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Wei Liu <wei.liu2@citrix.com> 2013-04-21 22:20:43 -0400
committer: David S. Miller <davem@davemloft.net> 2013-04-22 15:37:01 -0400
commit: 03393fd5cc2b6cdeec32b704ecba64dbb0feae3c (patch)
tree: e5e6484266da2624a56aa8fca0828e16a19037bb /drivers/net/xen-netback
parent: 2810e5b9a7731ca5fce22bfbe12c96e16ac44b6f (diff)
1 files changed, 16 insertions, 6 deletions
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index d9292c59789b..a2865f17c667 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -975,12 +975,22 @@ static int netbk_count_requests(struct xenvif *vif,
                memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
                       sizeof(*txp));
-                if (txp->size > first->size) {
-                        netdev_err(vif->dev,
+                /* If the guest submitted a frame >= 64 KiB then
-                                   "Invalid tx request, slot size %u > remaining size %u\n",
+                 * first->size overflowed and following slots will
-                                   txp->size, first->size);
+                 * appear to be larger than the frame.
-                        netbk_fatal_tx_err(vif);
+                 *
-                        return -EIO;
+                 * This cannot be fatal error as there are buggy
+                 * frontends that do this.
+                 *
+                 * Consume all slots and drop the packet.
+                 */
+                if (!drop_err && txp->size > first->size) {
+                        if (net_ratelimit())
+                                netdev_dbg(vif->dev,
+                                           "Invalid tx request, slot size %u > remaining size %u\n",
+                                           txp->size, first->size);
+                        drop_err = -EIO;
                }
                first->size -= txp->size;
author	Wei Liu <wei.liu2@citrix.com>	2013-04-21 22:20:43 -0400
committer	David S. Miller <davem@davemloft.net>	2013-04-22 15:37:01 -0400
commit	03393fd5cc2b6cdeec32b704ecba64dbb0feae3c (patch)
tree	e5e6484266da2624a56aa8fca0828e16a19037bb /drivers/net/xen-netback
parent	2810e5b9a7731ca5fce22bfbe12c96e16ac44b6f (diff)

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index d9292c59789b..a2865f17c667 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c
@@ -975,12 +975,22 @@ static int netbk_count_requests(struct xenvif *vif,
975		975
976	memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),	976	memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
977	sizeof(*txp));	977	sizeof(*txp));
978	if (txp->size > first->size) {	978
979	netdev_err(vif->dev,	979	/* If the guest submitted a frame >= 64 KiB then
980	"Invalid tx request, slot size %u > remaining size %u\n",	980	* first->size overflowed and following slots will
981	txp->size, first->size);	981	* appear to be larger than the frame.
982	netbk_fatal_tx_err(vif);	982	*
983	return -EIO;	983	* This cannot be fatal error as there are buggy
		984	* frontends that do this.
		985	*
		986	* Consume all slots and drop the packet.
		987	*/
		988	if (!drop_err && txp->size > first->size) {
		989	if (net_ratelimit())
		990	netdev_dbg(vif->dev,
		991	"Invalid tx request, slot size %u > remaining size %u\n",
		992	txp->size, first->size);
		993	drop_err = -EIO;
984	}	994	}
985		995
986	first->size -= txp->size;	996	first->size -= txp->size;