Patchwork skbuff: don't corrupt mac_header on skb expansion

login
register
mail settings
Submitter stephen hemminger
Date June 17, 2009, 10:17 p.m.
Message ID <20090617151734.5ce02459@nehalam>
Download mbox | patch
Permalink /patch/28816/
State Accepted
Delegated to: David Miller
Headers show

Comments

stephen hemminger - June 17, 2009, 10:17 p.m.
The skb mac_header field is sometimes NULL (or ~0u) as a sentinel
value. The places where skb is expanded add an offset which would
change this flag into an invalid pointer (or offset).

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller - June 18, 2009, 1:53 a.m.
From: Stephen Hemminger <shemminger@vyatta.com>
Date: Wed, 17 Jun 2009 15:17:34 -0700

> The skb mac_header field is sometimes NULL (or ~0u) as a sentinel
> value. The places where skb is expanded add an offset which would
> change this flag into an invalid pointer (or offset).
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Herbert Xu - July 5, 2009, 3:55 a.m.
Stephen Hemminger <shemminger@vyatta.com> wrote:
> The skb mac_header field is sometimes NULL (or ~0u) as a sentinel
> value. The places where skb is expanded add an offset which would
> change this flag into an invalid pointer (or offset).
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

What uses skb_mac_header_was_set apart from a debugging printk
in route.c and nfnetlink_log (which is also essentially a debugging
printk)?

This seems to be a bit much just to make a couple printks work?

What about using mac_len instead to figure out whether the MAC
header is there?

Cheers,
stephen hemminger - July 6, 2009, 6:23 p.m.
On Sun, 5 Jul 2009 11:55:21 +0800
Herbert Xu <herbert@gondor.apana.org.au> wrote:

> Stephen Hemminger <shemminger@vyatta.com> wrote:
> > The skb mac_header field is sometimes NULL (or ~0u) as a sentinel
> > value. The places where skb is expanded add an offset which would
> > change this flag into an invalid pointer (or offset).
> > 
> > Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
> 
> What uses skb_mac_header_was_set apart from a debugging printk
> in route.c and nfnetlink_log (which is also essentially a debugging
> printk)?
> 
> This seems to be a bit much just to make a couple printks work?
> 
> What about using mac_len instead to figure out whether the MAC
> header is there?
> 
> Cheers,

No worries, either way works, I was just trying to keep acme's original code

Patch

--- a/net/core/skbuff.c	2009-06-17 15:02:19.208725168 -0700
+++ b/net/core/skbuff.c	2009-06-17 15:04:50.139435754 -0700
@@ -657,7 +657,8 @@  static void copy_skb_header(struct sk_bu
 	/* {transport,network,mac}_header are relative to skb->head */
 	new->transport_header += offset;
 	new->network_header   += offset;
-	new->mac_header	      += offset;
+	if (skb_mac_header_was_set(new))
+		new->mac_header	      += offset;
 #endif
 	skb_shinfo(new)->gso_size = skb_shinfo(old)->gso_size;
 	skb_shinfo(new)->gso_segs = skb_shinfo(old)->gso_segs;
@@ -839,7 +840,8 @@  int pskb_expand_head(struct sk_buff *skb
 	skb->tail	      += off;
 	skb->transport_header += off;
 	skb->network_header   += off;
-	skb->mac_header	      += off;
+	if (skb_mac_header_was_set(skb))
+		skb->mac_header += off;
 	skb->csum_start       += nhead;
 	skb->cloned   = 0;
 	skb->hdr_len  = 0;
@@ -931,7 +933,8 @@  struct sk_buff *skb_copy_expand(const st
 #ifdef NET_SKBUFF_DATA_USES_OFFSET
 	n->transport_header += off;
 	n->network_header   += off;
-	n->mac_header	    += off;
+	if (skb_mac_header_was_set(skb))
+		n->mac_header += off;
 #endif
 
 	return n;