From patchwork Wed Feb 13 23:40:21 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Graf X-Patchwork-Id: 220301 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 073EA2C008C for ; Thu, 14 Feb 2013 10:40:29 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761189Ab3BMXkZ (ORCPT ); Wed, 13 Feb 2013 18:40:25 -0500 Received: from casper.infradead.org ([85.118.1.10]:47597 "EHLO casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752314Ab3BMXkY (ORCPT ); Wed, 13 Feb 2013 18:40:24 -0500 Received: from tgr by casper.infradead.org with local (Exim 4.76 #1 (Red Hat Linux)) id 1U5lw5-0005jt-3K; Wed, 13 Feb 2013 23:40:21 +0000 Date: Wed, 13 Feb 2013 23:40:21 +0000 From: Thomas Graf To: davem@davemloft.net Cc: netdev@vger.kernel.org Subject: [PATCH] net: Convert skb->csum_(start|offset) integrity BUG_ON() to WARN_ON() & drop Message-ID: <20130213234021.GA21829@casper.infradead.org> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org See http://www.infradead.org/rpr.html Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org skb_checksum_help() verifies the integrity of skb->csum_start and skb->csum_offset with BUG_ON()s. They have been hit with IPoIB which uses a 64K MTU. If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start. This in turn will trigger the BUG_ON() in skb_checksum_help(). Convert these to WARN_ON() and drop the packet. Signed-off-by: Thomas Graf --- net/core/dev.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/core/dev.c b/net/core/dev.c index f64e439..629d22e 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2047,11 +2047,14 @@ int skb_checksum_help(struct sk_buff *skb) } offset = skb_checksum_start_offset(skb); - BUG_ON(offset >= skb_headlen(skb)); + if (WARN_ON(offset >= skb_headlen(skb))) + return -ERANGE; + csum = skb_checksum(skb, offset, skb->len - offset, 0); offset += skb->csum_offset; - BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb)); + if (WARN_ON(offset + sizeof(__sum16) > skb_headlen(skb))) + return -ERANGE; if (skb_cloned(skb) && !skb_clone_writable(skb, offset + sizeof(__sum16))) {