| Message ID | 1365505655-8021-8-git-send-email-wei.liu2@citrix.com |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | David Miller |
| Headers | show |
> + if (!drop_err && txp->size > first->size) { > + if (net_ratelimit()) > + netdev_dbg(vif->dev, > + "Packet is bigger than frame.\n"); It must be worth printing txp->size and first->size here. Similarly for the other errors in the other patches. Probably difficult for some of these errors, but it is sometimes worth saving the last 'bad' item. So that with an appropriate tool (maybe hexdump of /dev/kmem) it is possible to look at the actual contents and thus determine the actual source of the error. David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Apr 09, 2013 at 12:34:42PM +0100, David Laight wrote: > > + if (!drop_err && txp->size > first->size) { > > + if (net_ratelimit()) > > + netdev_dbg(vif->dev, > > + "Packet is bigger than frame.\n"); > > It must be worth printing txp->size and first->size here. > Similarly for the other errors in the other patches. > Sure. > Probably difficult for some of these errors, but it is > sometimes worth saving the last 'bad' item. So that with > an appropriate tool (maybe hexdump of /dev/kmem) it is > possible to look at the actual contents and thus determine > the actual source of the error. > I doubt that you can get much information by analysing txp, it is just controll structure in ring, not the actual packet content. The packet is still in DomU. Wei. > David > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index 3490b2c..acd057b 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -986,10 +986,21 @@ static int netbk_count_requests(struct xenvif *vif, memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots), sizeof(*txp)); - if (txp->size > first->size) { - netdev_err(vif->dev, "Packet is bigger than frame.\n"); - netbk_fatal_tx_err(vif); - return -EIO; + + /* If the guest submitted a frame >= 64 KiB then + * first->size overflowed and following slots will + * appear to be larger than the frame. + * + * This cannot be fatal error as there are buggy + * frontends that do this. + * + * Consume all slots and drop the packet. + */ + if (!drop_err && txp->size > first->size) { + if (net_ratelimit()) + netdev_dbg(vif->dev, + "Packet is bigger than frame.\n"); + drop_err = -EIO; } first->size -= txp->size;
Some frontend drivers are sending packets > 64 KiB in length. This length overflows the length field in the first slot making the following slots have an invalid length ("Packet is bigger than frame"). Turn this error back into a non-fatal error by dropping the packet. To avoid having the following slots having fatal errors, consume all slots in the packet. This does not reopen the security hole in XSA-39 as if the packet as an invalid number of slots it will still hit fatal error case. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Wei Liu <wei.liu2@citrix.com> --- drivers/net/xen-netback/netback.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-)