From patchwork Wed Apr 17 17:42:03 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Liu X-Patchwork-Id: 237331 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3D9C82C016B for ; Thu, 18 Apr 2013 03:42:28 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966081Ab3DQRmX (ORCPT ); Wed, 17 Apr 2013 13:42:23 -0400 Received: from smtp.citrix.com ([66.165.176.89]:31831 "EHLO SMTP.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S936191Ab3DQRmT (ORCPT ); Wed, 17 Apr 2013 13:42:19 -0400 X-IronPort-AV: E=Sophos;i="4.87,495,1363132800"; d="scan'208";a="20007614" Received: from accessns.citrite.net (HELO FTLPEX01CL02.citrite.net) ([10.9.154.239]) by FTLPIPO01.CITRIX.COM with ESMTP/TLS/AES128-SHA; 17 Apr 2013 17:42:18 +0000 Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.79) with Microsoft SMTP Server id 14.2.342.3; Wed, 17 Apr 2013 13:42:18 -0400 Received: from dt47.uk.xensource.com ([10.80.229.47]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1USWN8-0002LN-0Z; Wed, 17 Apr 2013 18:42:18 +0100 From: Wei Liu To: , CC: , , , , Wei Liu , David Vrabel Subject: [PATCH 4/4] xen-netback: don't disconnect frontend when seeing oversize packet Date: Wed, 17 Apr 2013 18:42:03 +0100 Message-ID: <1366220523-14579-5-git-send-email-wei.liu2@citrix.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1366220523-14579-1-git-send-email-wei.liu2@citrix.com> References: <1366220523-14579-1-git-send-email-wei.liu2@citrix.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Some frontend drivers are sending packets > 64 KiB in length. This length overflows the length field in the first slot making the following slots have an invalid length. Turn this error back into a non-fatal error by dropping the packet. To avoid having the following slots having fatal errors, consume all slots in the packet. This does not reopen the security hole in XSA-39 as if the packet as an invalid number of slots it will still hit fatal error case. Signed-off-by: David Vrabel Signed-off-by: Wei Liu Acked-by: Ian Campbell --- drivers/net/xen-netback/netback.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index 86d533a..8b25124 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -981,12 +981,22 @@ static int netbk_count_requests(struct xenvif *vif, memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots), sizeof(*txp)); - if (txp->size > first->size) { - netdev_err(vif->dev, - "Invalid tx request, slot size %u > remaining size %u\n", - txp->size, first->size); - netbk_fatal_tx_err(vif); - return -EIO; + + /* If the guest submitted a frame >= 64 KiB then + * first->size overflowed and following slots will + * appear to be larger than the frame. + * + * This cannot be fatal error as there are buggy + * frontends that do this. + * + * Consume all slots and drop the packet. + */ + if (!drop_err && txp->size > first->size) { + if (net_ratelimit()) + netdev_dbg(vif->dev, + "Invalid tx request, slot size %u > remaining size %u\n", + txp->size, first->size); + drop_err = -EIO; } first->size -= txp->size;