[NET]: Verify gso_type too in gso_segment

We don't want nasty Xen guests to pass a TCPv6 packet in with gso_type set to TCPv4 or even UDP (or a packet that's both TCP and UDP). Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2006-07-03 22:38:35 -0400
committer: David S. Miller <davem@davemloft.net> 2006-07-03 22:38:35 -0400
commit: bbcf467dab42ea3c85f368df346c82af2fbba665 (patch)
tree: e9fe30c1be9c6a3773454bad3eefaabf4f5bee48 /net/ipv4/tcp.c
parent: 6ce1669fdb6b0a0faf9b2e2ba08048b520c57841 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 804458712d88..f6a2d9223d07 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2170,8 +2170,19 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
        if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
                /* Packet is from an untrusted source, reset gso_segs. */
-                int mss = skb_shinfo(skb)->gso_size;
+                int type = skb_shinfo(skb)->gso_type;
+                int mss;
+                if (unlikely(type &
+                             ~(SKB_GSO_TCPV4 |
+                               SKB_GSO_DODGY |
+                               SKB_GSO_TCP_ECN |
+                               SKB_GSO_TCPV6 |
+                               0) ||
+                             !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
+                        goto out;
+                mss = skb_shinfo(skb)->gso_size;
                skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
                segs = NULL;
author	Herbert Xu <herbert@gondor.apana.org.au>	2006-07-03 22:38:35 -0400
committer	David S. Miller <davem@davemloft.net>	2006-07-03 22:38:35 -0400
commit	bbcf467dab42ea3c85f368df346c82af2fbba665 (patch)
tree	e9fe30c1be9c6a3773454bad3eefaabf4f5bee48 /net/ipv4/tcp.c
parent	6ce1669fdb6b0a0faf9b2e2ba08048b520c57841 (diff)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 804458712d88..f6a2d9223d07 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c
@@ -2170,8 +2170,19 @@ struct sk_buff tcp_tso_segment(struct sk_buff skb, int features)
2170		2170
2171	if (skb_gso_ok(skb, features \| NETIF_F_GSO_ROBUST)) {	2171	if (skb_gso_ok(skb, features \| NETIF_F_GSO_ROBUST)) {
2172	/* Packet is from an untrusted source, reset gso_segs. */	2172	/* Packet is from an untrusted source, reset gso_segs. */
2173	int mss = skb_shinfo(skb)->gso_size;	2173	int type = skb_shinfo(skb)->gso_type;
		2174	int mss;
		2175
		2176	if (unlikely(type &
		2177	~(SKB_GSO_TCPV4 \|
		2178	SKB_GSO_DODGY \|
		2179	SKB_GSO_TCP_ECN \|
		2180	SKB_GSO_TCPV6 \|
		2181	0) \|\|
		2182	!(type & (SKB_GSO_TCPV4 \| SKB_GSO_TCPV6))))
		2183	goto out;
2174		2184
		2185	mss = skb_shinfo(skb)->gso_size;
2175	skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;	2186	skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
2176		2187
2177	segs = NULL;	2188	segs = NULL;