From patchwork Wed Jan 25 16:26:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Durrant X-Patchwork-Id: 719736 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3v7r6X0rTzz9sDg for ; Thu, 26 Jan 2017 03:26:59 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751416AbdAYQ05 (ORCPT ); Wed, 25 Jan 2017 11:26:57 -0500 Received: from smtp.citrix.com ([66.165.176.89]:36469 "EHLO SMTP.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750731AbdAYQ04 (ORCPT ); Wed, 25 Jan 2017 11:26:56 -0500 X-IronPort-AV: E=Sophos;i="5.33,284,1477958400"; d="scan'208";a="401933635" From: Paul Durrant To: , CC: Paul Durrant , Boris Ostrovsky , Juergen Gross Subject: [PATCH net-next] xen-netfront: reject short packets and handle non-linear packets Date: Wed, 25 Jan 2017 16:26:52 +0000 Message-ID: <1485361612-10154-1-git-send-email-paul.durrant@citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Sowmini points out two vulnerabilities in xen-netfront: a) The code assumes that skb->len is at least ETH_HLEN. b) The code assumes that at least ETH_HLEN octets are in the linear port of the socket buffer. This patch adds tests for both of these, and in the case of the latter pulls sufficient bytes into the linear area. Signed-off-by: Paul Durrant Reported-by: Sowmini Varadhan Tested-by: Sowmini Varadhan --- Cc: Boris Ostrovsky Cc: Juergen Gross --- drivers/net/xen-netfront.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index 40f26b6..0478809 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -567,6 +567,10 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev) u16 queue_index; struct sk_buff *nskb; + /* Basic sanity check */ + if (unlikely(skb->len < ETH_HLEN)) + goto drop; + /* Drop the packet if no queues are set up */ if (num_queues < 1) goto drop; @@ -609,6 +613,11 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev) } len = skb_headlen(skb); + if (unlikely(len < ETH_HLEN)) { + if (!__pskb_pull_tail(skb, ETH_HLEN - len)) + goto drop; + len = ETH_HLEN; + } spin_lock_irqsave(&queue->tx_lock, flags);