From patchwork Tue Apr 9 11:07:35 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Liu X-Patchwork-Id: 235046 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 048BB2C009C for ; Tue, 9 Apr 2013 21:22:37 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935797Ab3DILWJ (ORCPT ); Tue, 9 Apr 2013 07:22:09 -0400 Received: from smtp.citrix.com ([66.165.176.89]:52765 "EHLO SMTP.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935763Ab3DILWH (ORCPT ); Tue, 9 Apr 2013 07:22:07 -0400 X-IronPort-AV: E=Sophos;i="4.87,438,1363132800"; d="scan'208";a="18295988" Received: from accessns.citrite.net (HELO FTLPEX01CL03.citrite.net) ([10.9.154.239]) by FTLPIPO01.CITRIX.COM with ESMTP/TLS/AES128-SHA; 09 Apr 2013 11:22:06 +0000 Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.2.342.3; Tue, 9 Apr 2013 07:22:05 -0400 Received: from dt47.uk.xensource.com ([10.80.229.47]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1UPWOv-0004o0-CG; Tue, 09 Apr 2013 12:07:45 +0100 From: Wei Liu To: , CC: , , , , , Wei Liu Subject: [PATCH 7/7] xen-netback: don't disconnect frontend when seeing oversize packet Date: Tue, 9 Apr 2013 12:07:35 +0100 Message-ID: <1365505655-8021-8-git-send-email-wei.liu2@citrix.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1365505655-8021-1-git-send-email-wei.liu2@citrix.com> References: <1365505655-8021-1-git-send-email-wei.liu2@citrix.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Some frontend drivers are sending packets > 64 KiB in length. This length overflows the length field in the first slot making the following slots have an invalid length ("Packet is bigger than frame"). Turn this error back into a non-fatal error by dropping the packet. To avoid having the following slots having fatal errors, consume all slots in the packet. This does not reopen the security hole in XSA-39 as if the packet as an invalid number of slots it will still hit fatal error case. Signed-off-by: David Vrabel Signed-off-by: Wei Liu --- drivers/net/xen-netback/netback.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index 3490b2c..acd057b 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -986,10 +986,21 @@ static int netbk_count_requests(struct xenvif *vif, memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots), sizeof(*txp)); - if (txp->size > first->size) { - netdev_err(vif->dev, "Packet is bigger than frame.\n"); - netbk_fatal_tx_err(vif); - return -EIO; + + /* If the guest submitted a frame >= 64 KiB then + * first->size overflowed and following slots will + * appear to be larger than the frame. + * + * This cannot be fatal error as there are buggy + * frontends that do this. + * + * Consume all slots and drop the packet. + */ + if (!drop_err && txp->size > first->size) { + if (net_ratelimit()) + netdev_dbg(vif->dev, + "Packet is bigger than frame.\n"); + drop_err = -EIO; } first->size -= txp->size;