From patchwork Fri Feb 6 09:00:24 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jesper Dangaard Brouer X-Patchwork-Id: 22320 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 27587DDECF for ; Fri, 6 Feb 2009 20:00:36 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752288AbZBFJAb (ORCPT ); Fri, 6 Feb 2009 04:00:31 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752095AbZBFJAb (ORCPT ); Fri, 6 Feb 2009 04:00:31 -0500 Received: from lanfw001a.cxnet.dk ([87.72.215.196]:50605 "EHLO lanfw001a.cxnet.dk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751869AbZBFJAa (ORCPT ); Fri, 6 Feb 2009 04:00:30 -0500 Received: from comxexch02.comx.local (unknown [172.31.1.117]) by lanfw001a.cxnet.dk (Postfix) with ESMTP id 1C4D51638A2; Fri, 6 Feb 2009 10:00:25 +0100 (CET) Received: from 172.31.4.93 ([172.31.4.93]) by comxexch02.comx.local ([172.31.1.117]) with Microsoft Exchange Server HTTP-DAV ; Fri, 6 Feb 2009 09:00:24 +0000 Received: from hawk by comxexch02.comx.local; 06 Feb 2009 10:00:24 +0100 Subject: [RFC] [PATCH] Fix UDP short packet false positive From: Jesper Dangaard Brouer Reply-To: jdb@comx.dk To: David Miller Cc: netdev@vger.kernel.org In-Reply-To: <20090205.150612.208352009.davem@davemloft.net> References: <20090204.010029.12969718.davem@davemloft.net> <1233837840.20497.129.camel@localhost.localdomain> <1233838027.20497.132.camel@localhost.localdomain> <20090205.150612.208352009.davem@davemloft.net> Organization: ComX Networks A/S Date: Fri, 06 Feb 2009 10:00:24 +0100 Message-Id: <1233910824.21135.6.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Thu, 2009-02-05 at 15:06 -0800, David Miller wrote: > From: Jesper Dangaard Brouer > Date: Thu, 05 Feb 2009 13:47:07 +0100 > > > The UDP header pointer assignment must happen after calling > > pskb_may_pull(). As pskb_may_pull() can potentially alter the SKB > > buffer. > > Excellent work! Thanks :-) I'm wondering if the ip_hdr() pointer can be changed by the pskb_may_pull(), but I assume it cannot as it should already be in the linear area... right? Well the patch below, shows what I mean... diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index cc3a0a0..7390af6 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1232,20 +1232,23 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, { struct sock *sk; struct udphdr *uh; unsigned short ulen; struct rtable *rt = (struct rtable*)skb->dst; - __be32 saddr = ip_hdr(skb)->saddr; - __be32 daddr = ip_hdr(skb)->daddr; + __be32 saddr; + __be32 daddr; struct net *net = dev_net(skb->dev); /* * Validate the packet. */ if (!pskb_may_pull(skb, sizeof(struct udphdr))) goto drop; /* No space for header. */ + saddr = ip_hdr(skb)->saddr; + daddr = ip_hdr(skb)->daddr; + uh = udp_hdr(skb); ulen = ntohs(uh->len); if (ulen > skb->len) goto short_packet;