Message ID | 1297657662-30289-8-git-send-email-cooldavid@cooldavid.org |
---|---|
State | Changes Requested, archived |
Headers | show |
From: "Guo-Fu Tseng" <cooldavid@cooldavid.org> Date: Mon, 14 Feb 2011 12:27:41 +0800 > @@ -956,8 +956,27 @@ jme_disable_rx_engine(struct jme_adapter *jme) > jme_mac_rxclk_off(jme); > } > > +static u16 > +jme_udpsum(struct sk_buff *skb) > +{ > + u16 csum = 0xFFFFu; > + > + if (skb->protocol != htons(ETH_P_IP)) > + return csum; > + skb_set_network_header(skb, ETH_HLEN); > + if (ip_hdr(skb)->protocol != IPPROTO_UDP) > + return csum; > + skb_set_transport_header(skb, > + ETH_HLEN + (ip_hdr(skb)->ihl << 2)); > + csum = udp_hdr(skb)->check; > + skb_reset_transport_header(skb); > + skb_reset_network_header(skb); > + > + return csum; > +} You need to validate the packet length in all of these packet header accesses, otherwise you're potentially looking at garbage. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, 13 Feb 2011 20:43:00 -0800 (PST), David Miller wrote > From: "Guo-Fu Tseng" <cooldavid@cooldavid.org> > Date: Mon, 14 Feb 2011 12:27:41 +0800 > > > @@ -956,8 +956,27 @@ jme_disable_rx_engine(struct jme_adapter *jme) > > jme_mac_rxclk_off(jme); > > } > > > > +static u16 > > +jme_udpsum(struct sk_buff *skb) > > +{ > > + u16 csum = 0xFFFFu; > > + > > + if (skb->protocol != htons(ETH_P_IP)) > > + return csum; > > + skb_set_network_header(skb, ETH_HLEN); > > + if (ip_hdr(skb)->protocol != IPPROTO_UDP) > > + return csum; > > + skb_set_transport_header(skb, > > + ETH_HLEN + (ip_hdr(skb)->ihl << 2)); > > + csum = udp_hdr(skb)->check; > > + skb_reset_transport_header(skb); > > + skb_reset_network_header(skb); > > + > > + return csum; > > +} > > You need to validate the packet length in all of these packet header > accesses, otherwise you're potentially looking at garbage. Thank you! Redoing this path, I'll send it later. :) Guo-Fu Tseng -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/jme.c b/drivers/net/jme.c index ed35e17..5ced990 100644 --- a/drivers/net/jme.c +++ b/drivers/net/jme.c @@ -956,8 +956,27 @@ jme_disable_rx_engine(struct jme_adapter *jme) jme_mac_rxclk_off(jme); } +static u16 +jme_udpsum(struct sk_buff *skb) +{ + u16 csum = 0xFFFFu; + + if (skb->protocol != htons(ETH_P_IP)) + return csum; + skb_set_network_header(skb, ETH_HLEN); + if (ip_hdr(skb)->protocol != IPPROTO_UDP) + return csum; + skb_set_transport_header(skb, + ETH_HLEN + (ip_hdr(skb)->ihl << 2)); + csum = udp_hdr(skb)->check; + skb_reset_transport_header(skb); + skb_reset_network_header(skb); + + return csum; +} + static int -jme_rxsum_ok(struct jme_adapter *jme, u16 flags) +jme_rxsum_ok(struct jme_adapter *jme, u16 flags, struct sk_buff *skb) { if (!(flags & (RXWBFLAG_TCPON | RXWBFLAG_UDPON | RXWBFLAG_IPV4))) return false; @@ -970,7 +989,7 @@ jme_rxsum_ok(struct jme_adapter *jme, u16 flags) } if (unlikely((flags & (RXWBFLAG_MF | RXWBFLAG_UDPON | RXWBFLAG_UDPCS)) - == RXWBFLAG_UDPON)) { + == RXWBFLAG_UDPON) && jme_udpsum(skb)) { if (flags & RXWBFLAG_IPV4) netif_err(jme, rx_err, jme->dev, "UDP Checksum error\n"); return false; @@ -1018,7 +1037,7 @@ jme_alloc_and_feed_skb(struct jme_adapter *jme, int idx) skb_put(skb, framesize); skb->protocol = eth_type_trans(skb, jme->dev); - if (jme_rxsum_ok(jme, le16_to_cpu(rxdesc->descwb.flags))) + if (jme_rxsum_ok(jme, le16_to_cpu(rxdesc->descwb.flags), skb)) skb->ip_summed = CHECKSUM_UNNECESSARY; else skb_checksum_none_assert(skb);