From patchwork Mon Apr 22 12:20:43 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Liu X-Patchwork-Id: 238497 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4272D2C0159 for ; Mon, 22 Apr 2013 22:21:23 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753292Ab3DVMVJ (ORCPT ); Mon, 22 Apr 2013 08:21:09 -0400 Received: from smtp02.citrix.com ([66.165.176.63]:5311 "EHLO SMTP02.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753099Ab3DVMVH (ORCPT ); Mon, 22 Apr 2013 08:21:07 -0400 X-IronPort-AV: E=Sophos;i="4.87,526,1363132800"; d="scan'208";a="19767498" Received: from accessns.citrite.net (HELO FTLPEX01CL02.citrite.net) ([10.9.154.239]) by FTLPIPO02.CITRIX.COM with ESMTP/TLS/AES128-SHA; 22 Apr 2013 12:21:01 +0000 Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.79) with Microsoft SMTP Server id 14.2.342.3; Mon, 22 Apr 2013 08:21:00 -0400 Received: from dt47.uk.xensource.com ([10.80.229.47]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1UUFjw-0006Uj-Dt; Mon, 22 Apr 2013 13:21:00 +0100 From: Wei Liu To: CC: , , , Wei Liu , David Vrabel Subject: [PATCH net-next V7 4/4] xen-netback: don't disconnect frontend when seeing oversize packet Date: Mon, 22 Apr 2013 13:20:43 +0100 Message-ID: <1366633243-17775-5-git-send-email-wei.liu2@citrix.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1366633243-17775-1-git-send-email-wei.liu2@citrix.com> References: <1366633243-17775-1-git-send-email-wei.liu2@citrix.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Some frontend drivers are sending packets > 64 KiB in length. This length overflows the length field in the first slot making the following slots have an invalid length. Turn this error back into a non-fatal error by dropping the packet. To avoid having the following slots having fatal errors, consume all slots in the packet. This does not reopen the security hole in XSA-39 as if the packet as an invalid number of slots it will still hit fatal error case. Signed-off-by: David Vrabel Signed-off-by: Wei Liu Acked-by: Ian Campbell --- drivers/net/xen-netback/netback.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index d9292c5..a2865f1 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -975,12 +975,22 @@ static int netbk_count_requests(struct xenvif *vif, memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots), sizeof(*txp)); - if (txp->size > first->size) { - netdev_err(vif->dev, - "Invalid tx request, slot size %u > remaining size %u\n", - txp->size, first->size); - netbk_fatal_tx_err(vif); - return -EIO; + + /* If the guest submitted a frame >= 64 KiB then + * first->size overflowed and following slots will + * appear to be larger than the frame. + * + * This cannot be fatal error as there are buggy + * frontends that do this. + * + * Consume all slots and drop the packet. + */ + if (!drop_err && txp->size > first->size) { + if (net_ratelimit()) + netdev_dbg(vif->dev, + "Invalid tx request, slot size %u > remaining size %u\n", + txp->size, first->size); + drop_err = -EIO; } first->size -= txp->size;