ia64/linux-2.6.18-xen.hg

changeset 778:d490aa798cc4

gso: Ensure that the packet is long enough

When we get a GSO packet from an untrusted source, we need to
ensure that it is sufficiently long so that we don't end up
crashing.

Based on discovery and patch by Ian Campbell.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Jan 14 14:04:07 2009 +0000 (2009-01-14)
parents 8081d19dce89
children 0fadef4d5c46
files net/ipv4/tcp.c
line diff
     1.1 --- a/net/ipv4/tcp.c	Wed Jan 14 14:03:42 2009 +0000
     1.2 +++ b/net/ipv4/tcp.c	Wed Jan 14 14:04:07 2009 +0000
     1.3 @@ -2153,7 +2153,7 @@ struct sk_buff *tcp_tso_segment(struct s
     1.4  	unsigned int seq;
     1.5  	unsigned int delta;
     1.6  	unsigned int oldlen;
     1.7 -	unsigned int len;
     1.8 +	unsigned int mss;
     1.9  
    1.10  	if (!pskb_may_pull(skb, sizeof(*th)))
    1.11  		goto out;
    1.12 @@ -2169,10 +2169,13 @@ struct sk_buff *tcp_tso_segment(struct s
    1.13  	oldlen = (u16)~skb->len;
    1.14  	__skb_pull(skb, thlen);
    1.15  
    1.16 +	mss = skb_shinfo(skb)->gso_size;
    1.17 +	if (unlikely(skb->len <= mss))
    1.18 +		goto out;
    1.19 +
    1.20  	if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
    1.21  		/* Packet is from an untrusted source, reset gso_segs. */
    1.22  		int type = skb_shinfo(skb)->gso_type;
    1.23 -		int mss;
    1.24  
    1.25  		if (unlikely(type &
    1.26  			     ~(SKB_GSO_TCPV4 |
    1.27 @@ -2183,7 +2186,6 @@ struct sk_buff *tcp_tso_segment(struct s
    1.28  			     !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
    1.29  			goto out;
    1.30  
    1.31 -		mss = skb_shinfo(skb)->gso_size;
    1.32  		skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
    1.33  
    1.34  		segs = NULL;
    1.35 @@ -2194,8 +2196,7 @@ struct sk_buff *tcp_tso_segment(struct s
    1.36  	if (IS_ERR(segs))
    1.37  		goto out;
    1.38  
    1.39 -	len = skb_shinfo(skb)->gso_size;
    1.40 -	delta = htonl(oldlen + (thlen + len));
    1.41 +	delta = htonl(oldlen + (thlen + mss));
    1.42  
    1.43  	skb = segs;
    1.44  	th = skb->h.th;
    1.45 @@ -2209,7 +2210,7 @@ struct sk_buff *tcp_tso_segment(struct s
    1.46  			th->check = csum_fold(csum_partial(skb->h.raw, thlen,
    1.47  							   skb->csum));
    1.48  
    1.49 -		seq += len;
    1.50 +		seq += mss;
    1.51  		skb = skb->next;
    1.52  		th = skb->h.th;
    1.53