{"id":806711,"url":"http://patchwork.ozlabs.org/api/1.0/patches/806711/?format=json","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/1.0/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20170828182941.10677-1-bpoirier@suse.com>","date":"2017-08-28T18:29:41","name":"packet: Don't write vnet header beyond end of buffer","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"4286a1fde6cc10e0a2ea20e70f29c77a33350667","submitter":{"id":67008,"url":"http://patchwork.ozlabs.org/api/1.0/people/67008/?format=json","name":"Benjamin Poirier","email":"bpoirier@suse.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/1.0/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/20170828182941.10677-1-bpoirier@suse.com/mbox/","series":[{"id":236,"url":"http://patchwork.ozlabs.org/api/1.0/series/236/?format=json","date":"2017-08-28T18:29:41","name":"packet: Don't write vnet header beyond end of buffer","version":1,"mbox":"http://patchwork.ozlabs.org/series/236/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/806711/checks/","tags":{},"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xh0gd0hWsz9s7v\n\tfor <patchwork-incoming@ozlabs.org>;\n\tTue, 29 Aug 2017 04:30:21 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751346AbdH1SaC (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tMon, 28 Aug 2017 14:30:02 -0400","from mx2.suse.de ([195.135.220.15]:55927 \"EHLO mx1.suse.de\"\n\trhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP\n\tid S1750735AbdH1SaB (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tMon, 28 Aug 2017 14:30:01 -0400","from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])\n\tby mx1.suse.de (Postfix) with ESMTP id 30666AC12;\n\tMon, 28 Aug 2017 18:30:00 +0000 (UTC)"],"X-Virus-Scanned":"by amavisd-new at test-mx.suse.de","From":"Benjamin Poirier <bpoirier@suse.com>","To":"\"David S. Miller\" <davem@davemloft.net>","Cc":"netdev@vger.kernel.org, linux-kernel@vger.kernel.org,\n\tWillem de Bruijn <willemb@google.com>","Subject":"[PATCH] packet: Don't write vnet header beyond end of buffer","Date":"Mon, 28 Aug 2017 14:29:41 -0400","Message-Id":"<20170828182941.10677-1-bpoirier@suse.com>","X-Mailer":"git-send-email 2.14.1","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"... which may happen with certain values of tp_reserve and maclen.\n\nFixes: 58d19b19cd99 (\"packet: vnet_hdr support for tpacket_rcv\")\nSigned-off-by: Benjamin Poirier <bpoirier@suse.com>\nCc: Willem de Bruijn <willemb@google.com>\n---\n net/packet/af_packet.c | 12 +++++++++---\n 1 file changed, 9 insertions(+), 3 deletions(-)","diff":"diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c\nindex 008a45ca3112..1c61af9af67d 100644\n--- a/net/packet/af_packet.c\n+++ b/net/packet/af_packet.c\n@@ -2191,6 +2191,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,\n \tstruct timespec ts;\n \t__u32 ts_status;\n \tbool is_drop_n_account = false;\n+\tbool do_vnet = false;\n \n \t/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.\n \t * We may add members to them until current aligned size without forcing\n@@ -2241,8 +2242,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,\n \t\tnetoff = TPACKET_ALIGN(po->tp_hdrlen +\n \t\t\t\t       (maclen < 16 ? 16 : maclen)) +\n \t\t\t\t       po->tp_reserve;\n-\t\tif (po->has_vnet_hdr)\n+\t\tif (po->has_vnet_hdr) {\n \t\t\tnetoff += sizeof(struct virtio_net_hdr);\n+\t\t\tdo_vnet = true;\n+\t\t}\n \t\tmacoff = netoff - maclen;\n \t}\n \tif (po->tp_version <= TPACKET_V2) {\n@@ -2259,8 +2262,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,\n \t\t\t\t\tskb_set_owner_r(copy_skb, sk);\n \t\t\t}\n \t\t\tsnaplen = po->rx_ring.frame_size - macoff;\n-\t\t\tif ((int)snaplen < 0)\n+\t\t\tif ((int)snaplen < 0) {\n \t\t\t\tsnaplen = 0;\n+\t\t\t\tdo_vnet = false;\n+\t\t\t}\n \t\t}\n \t} else if (unlikely(macoff + snaplen >\n \t\t\t    GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {\n@@ -2273,6 +2278,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,\n \t\tif (unlikely((int)snaplen < 0)) {\n \t\t\tsnaplen = 0;\n \t\t\tmacoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;\n+\t\t\tdo_vnet = false;\n \t\t}\n \t}\n \tspin_lock(&sk->sk_receive_queue.lock);\n@@ -2298,7 +2304,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,\n \t}\n \tspin_unlock(&sk->sk_receive_queue.lock);\n \n-\tif (po->has_vnet_hdr) {\n+\tif (do_vnet) {\n \t\tif (virtio_net_hdr_from_skb(skb, h.raw + macoff -\n \t\t\t\t\t    sizeof(struct virtio_net_hdr),\n \t\t\t\t\t    vio_le(), true)) {\n","prefixes":[]}