| Message ID | 1493988426-22854-4-git-send-email-simon.horman@netronome.com |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
On 17-05-05 08:47 AM, Simon Horman wrote: > If the flow skb_flow_dissect() returns an error it indicates that > dissection was incomplete for some reason. Matching using the result of an > incomplete dissection may cause unexpected results. For example: > > * A match on zero layer 4 ports will also match packets truncated at > the end of the IP header; that is packets where ports are missing are > treated the same way as packets with zero ports. > * Likewise, a match on zero ICMP code or type will also match packets > truncated at the end of the IP header; that is packets where the ICMP > type and code are missing will be treated the same way as packets with > zero ICMP code and type. > > Separate patches to the flow dissector are required in order for it to > return errors in the above cases. > > Fixes: 77b9900ef53a ("tc: introduce Flower classifier") > Signed-off-by: Simon Horman <simon.horman@netronome.com> > Reviewed-by: Benjamin LaHaise <benjamin.lahaise@netronome.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> cheers, jamal
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index ca526c0881bd..90bfd003176b 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -187,7 +187,8 @@ static int fl_classify(struct sk_buff *skb, const struct tcf_proto *tp, * so do it rather here. */ skb_key.basic.n_proto = skb->protocol; - skb_flow_dissect(skb, &head->dissector, &skb_key, 0); + if (!skb_flow_dissect(skb, &head->dissector, &skb_key, 0)) + return -1; fl_set_masked_key(&skb_mkey, &skb_key, &head->mask);
If the flow skb_flow_dissect() returns an error it indicates that dissection was incomplete for some reason. Matching using the result of an incomplete dissection may cause unexpected results. For example: * A match on zero layer 4 ports will also match packets truncated at the end of the IP header; that is packets where ports are missing are treated the same way as packets with zero ports. * Likewise, a match on zero ICMP code or type will also match packets truncated at the end of the IP header; that is packets where the ICMP type and code are missing will be treated the same way as packets with zero ICMP code and type. Separate patches to the flow dissector are required in order for it to return errors in the above cases. Fixes: 77b9900ef53a ("tc: introduce Flower classifier") Signed-off-by: Simon Horman <simon.horman@netronome.com> Reviewed-by: Benjamin LaHaise <benjamin.lahaise@netronome.com> --- net/sched/cls_flower.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)