Patchwork [7/7] xen-netback: don't disconnect frontend when seeing oversize packet

login
register
mail settings
Submitter Wei Liu
Date April 9, 2013, 11:07 a.m.
Message ID <1365505655-8021-8-git-send-email-wei.liu2@citrix.com>
Download mbox | patch
Permalink /patch/235046/
State Changes Requested
Delegated to: David Miller
Headers show

Comments

Wei Liu - April 9, 2013, 11:07 a.m.
Some frontend drivers are sending packets > 64 KiB in length. This length
overflows the length field in the first slot making the following slots have
an invalid length ("Packet is bigger than frame").

Turn this error back into a non-fatal error by dropping the packet. To avoid
having the following slots having fatal errors, consume all slots in the
packet.

This does not reopen the security hole in XSA-39 as if the packet as an
invalid number of slots it will still hit fatal error case.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
 drivers/net/xen-netback/netback.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)
David Laight - April 9, 2013, 11:34 a.m.
> +		if (!drop_err && txp->size > first->size) {
> +			if (net_ratelimit())
> +				netdev_dbg(vif->dev,
> +					   "Packet is bigger than frame.\n");

It must be worth printing txp->size and first->size here.
Similarly for the other errors in the other patches.

Probably difficult for some of these errors, but it is
sometimes worth saving the last 'bad' item. So that with
an appropriate tool (maybe hexdump of /dev/kmem) it is
possible to look at the actual contents and thus determine
the actual source of the error.

	David


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Wei Liu - April 9, 2013, 11:54 a.m.
On Tue, Apr 09, 2013 at 12:34:42PM +0100, David Laight wrote:
> > +		if (!drop_err && txp->size > first->size) {
> > +			if (net_ratelimit())
> > +				netdev_dbg(vif->dev,
> > +					   "Packet is bigger than frame.\n");
> 
> It must be worth printing txp->size and first->size here.
> Similarly for the other errors in the other patches.
> 

Sure.

> Probably difficult for some of these errors, but it is
> sometimes worth saving the last 'bad' item. So that with
> an appropriate tool (maybe hexdump of /dev/kmem) it is
> possible to look at the actual contents and thus determine
> the actual source of the error.
> 

I doubt that you can get much information by analysing txp, it is just
controll structure in ring, not the actual packet content. The packet is
still in DomU.


Wei.

> 	David
> 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index 3490b2c..acd057b 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -986,10 +986,21 @@  static int netbk_count_requests(struct xenvif *vif,
 
 		memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
 		       sizeof(*txp));
-		if (txp->size > first->size) {
-			netdev_err(vif->dev, "Packet is bigger than frame.\n");
-			netbk_fatal_tx_err(vif);
-			return -EIO;
+
+		/* If the guest submitted a frame >= 64 KiB then
+		 * first->size overflowed and following slots will
+		 * appear to be larger than the frame.
+		 *
+		 * This cannot be fatal error as there are buggy
+		 * frontends that do this.
+		 *
+		 * Consume all slots and drop the packet.
+		 */
+		if (!drop_err && txp->size > first->size) {
+			if (net_ratelimit())
+				netdev_dbg(vif->dev,
+					   "Packet is bigger than frame.\n");
+			drop_err = -EIO;
 		}
 
 		first->size -= txp->size;