Message ID | 1349840900-24138-1-git-send-email-amwang@redhat.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Cong Wang <amwang@redhat.com> Date: Wed, 10 Oct 2012 11:48:16 +0800 > For IPv6, sizeof(struct ipv6hdr) = 40, thus the following > expression will result negative: > > datalen = pkt_dev->cur_pkt_size - 14 - > sizeof(struct ipv6hdr) - sizeof(struct udphdr) - > pkt_dev->pkt_overhead; > > And, the check "if (datalen < sizeof(struct pktgen_hdr))" will be > passed as "datalen" is promoted to unsigned, therefore will cause > a crash later. > > This is a quick fix by checking if "datalen" is negative. The following > patch will increase the default value of 'min_pkt_size' for IPv6. > > This bug should exist for a long time, so Cc -stable too. > > Cc: <stable@vger.kernel.org> > Cc: David S. Miller <davem@davemloft.net> > Signed-off-by: Cong Wang <amwang@redhat.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 148e73d..e356b8d 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -2927,7 +2927,7 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev, sizeof(struct ipv6hdr) - sizeof(struct udphdr) - pkt_dev->pkt_overhead; - if (datalen < sizeof(struct pktgen_hdr)) { + if (datalen < 0 || datalen < sizeof(struct pktgen_hdr)) { datalen = sizeof(struct pktgen_hdr); net_info_ratelimited("increased datalen to %d\n", datalen); }
For IPv6, sizeof(struct ipv6hdr) = 40, thus the following expression will result negative: datalen = pkt_dev->cur_pkt_size - 14 - sizeof(struct ipv6hdr) - sizeof(struct udphdr) - pkt_dev->pkt_overhead; And, the check "if (datalen < sizeof(struct pktgen_hdr))" will be passed as "datalen" is promoted to unsigned, therefore will cause a crash later. This is a quick fix by checking if "datalen" is negative. The following patch will increase the default value of 'min_pkt_size' for IPv6. This bug should exist for a long time, so Cc -stable too. Cc: <stable@vger.kernel.org> Cc: David S. Miller <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> --- net/core/pktgen.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)