[RFC] r8169: straighten out overlength frame detection (v3)

Le 05/01/2010 14:57, Neil Horman a écrit :
> Ok, third times the charm.  Its been noted that both apporaches to fixing this
> bug are going to have major performance impacts, which is bad.  Unless we can
> get a list of affected hardware to restrict the fix to certain NICS, I don't see
> how we can get around that.   I have come up with this patch however, which I
> think at least partially addresses the performance concerns.
> 
>         A while back Eric submitted a patch for r8169 in which the proper
> allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too
> much data.  This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4.  A
> long time prior to that however, Francois posted
> 126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize
> setting due to the fact that the hardware behaved in odd ways when overlong
> frames were received on NIC's supported by this driver.  This was mentioned in a
> security conference recently:
> http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
> 
> It seems that if we can't enable frame size filtering, then, as Eric correctly
> noticed, we can find ourselves DMA-ing too much data to a buffer, causing
> corruption.  As a result is seems that we are forced to allocate a frame which
> is ready to handle a maximally sized receive.
> 
> This obviously has performance issues with it, so to mitigate that issue, this
> patch does two things:
> 
> 1) Raises the copybreak value to the frame allocation size, which should force
> appropriately sized packets to get allocated on rx, rather than a full new 16k
> buffer.
> 
> 2) This patch only disables frame filtering initially (i.e., during the NIC
> open), changing the MTU results in ring buffer allocation of a size in relation
> to the new mtu (along with a warning indicating that this is dangerous).
> 
> Because of item (2), individuals who can't cope with the performance hit (or can
> otherwise filter frames to prevent the bug), or who have hardware they are sure
> is unaffected by this issue, can manually lower the copybreak and reset the mtu
> such that performance is restored easily.
> 
> Signed-off-by: Neil Horman <nhorman@redhat.com>
> 
> 
> 
>  r8169.c |   29 ++++++++++++++++++++++++-----
>  1 file changed, 24 insertions(+), 5 deletions(-)
> 
> 
> diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
> index c403ce0..9aac49c 100644
> --- a/drivers/net/r8169.c
> +++ b/drivers/net/r8169.c
> @@ -186,7 +186,12 @@ static struct pci_device_id rtl8169_pci_tbl[] = {
>  
>  MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
>  
> -static int rx_copybreak = 200;
> +/*
> + * we set our copybreak very high so that we don't have
> + * to allocate 16k frames all the time (see note in
> + * rtl8169_open()
> + */ 
> +static int rx_copybreak = 16383;
>  static int use_dac;
>  static struct {
>  	u32 msg_enable;
> @@ -3240,9 +3245,13 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev)
>  }
>  
>  static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
> -				  struct net_device *dev)
> +				  unsigned int mtu)
>  {
> -	unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
> +	unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
> +
> +	if (max_frame != 16383)
> +		printk(KERN_WARNING "WARNING! Changing of MTU on this NIC"
> +			"May lead to frame reception errors!\n");
>  
>  	tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
>  }
> @@ -3254,7 +3263,17 @@ static int rtl8169_open(struct net_device *dev)
>  	int retval = -ENOMEM;
>  
>  
> -	rtl8169_set_rxbufsize(tp, dev);
> +	/*
> +	 * Note that we use a magic value here, its wierd I know
> +	 * its done because, some subset of rtl8169 hardware suffers from
> +	 * a problem in which frames received that are longer than 
> +	 * the size set in RxMaxSize register return garbage sizes
> +	 * when received.  To avoid this we need to turn off filtering, 
> +	 * which is done by setting a value of 16383 in the RxMaxSize register
> +	 * and allocating 16k frames to handle the largest possible rx value
> +	 * thats what the magic math below does.
> +	 */
> +	rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
>  
>  	/*
>  	 * Rx and Tx desscriptors needs 256 bytes alignment.
> @@ -3907,7 +3926,7 @@ static int rtl8169_change_mtu(struct net_device *dev, int new_mtu)
>  
>  	rtl8169_down(dev);
>  
> -	rtl8169_set_rxbufsize(tp, dev);
> +	rtl8169_set_rxbufsize(tp, dev->mtu);
>  
>  	ret = rtl8169_init_ring(dev);
>  	if (ret < 0)
> --

Its a start, but should not depend on MTU of device.
If a script sets it to 1500, we can have the security problem again ?

We should have static buffers of 16384 bytes, and always copy to freshly allocated skbs.

If hardware is buggy, driver should focus on security first,
performance doesnt matter in this case.

It seems that we should also avoid the sizeof(FCS) subtract too.
(or test that pkt_size is >= min_frame_size)

(the guy was able to feed driver with a 'random' status..., making machine crash again ?

Sorry, I dont have this hardware so cannot test your patch.



Avoiding FCS copy brings almost nothing at all anyway, many drivers dont care.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 05 Jan 2010 16:15:53 +0100

> If hardware is buggy, driver should focus on security first,
> performance doesnt matter in this case.

Copying every packet is way too much of a performance hit to
accept.

Things are not so black and white, there are shades of grey.

We can fix this without making things so slow, try harder...
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Tue, Jan 05, 2010 at 12:40:40PM -0800, David Miller wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Tue, 05 Jan 2010 16:15:53 +0100
> 
> > If hardware is buggy, driver should focus on security first,
> > performance doesnt matter in this case.
> 
> Copying every packet is way too much of a performance hit to
> accept.
> 
> Things are not so black and white, there are shades of grey.
> 
> We can fix this without making things so slow, try harder...
I think thats what I've done in my third version of the patch here.  By raising
the copybreak value, and setting an initial allocation size of 16k, we:

1) close the security hole by default
2) allow for smaller allocations during run time (allocations of the recevied
frame size, rather than 16k every time)
3) Give the user an out if they need the added performance. They have a module
option to lower the copybreak thrshold, and changing the mtu to a different
value will reset the rx allocation size, and frame filter value (and issue a big
warning that doing so may be dangerous)

As we determine which hardware id's are buggy, we can start blacklisting them
specifically, ejoining them from making mtu changes at all, and when we are
confident we have identified all the buggy hardware, we can flip the default
behavior to allocate a resonable frame size and set a good copybreak threshold
for anything not on the blacklist.

Regards
Neil

> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

From: Neil Horman <nhorman@tuxdriver.com>
Date: Tue, 5 Jan 2010 16:38:56 -0500

> I think thats what I've done in my third version of the patch here.
> By raising the copybreak value, and setting an initial allocation
> size of 16k, we:

Right, I'll take an even closer look at your patch later this
afternoon, thanks Neil.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Tue, Jan 05, 2010 at 01:45:37PM -0800, David Miller wrote:
> From: Neil Horman <nhorman@tuxdriver.com>
> Date: Tue, 5 Jan 2010 16:38:56 -0500
> 
> > I think thats what I've done in my third version of the patch here.
> > By raising the copybreak value, and setting an initial allocation
> > size of 16k, we:
> 
> Right, I'll take an even closer look at your patch later this
> afternoon, thanks Neil.
> 
No problem, thank you Dave!
Neil

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Tue, Jan 05, 2010 at 12:40:40PM -0800, David Miller wrote:
[...]
> We can fix this without making things so slow, try harder...

I have reproduced something which seems rather close to the behavior
described in the ccc paper (I have a couple of old PCI rev 10 8169
chipset based network cards).

The setup includes two r8169 face-to-face. The target has an usual
MTU. I tweaked its skb allocation function to include 4000 bytes
of space instead of the usual 1500 something. It is grossly poisoned
to estimate the size of the actual DMA. The RX descriptor has no
knowledge of the extra buffer space above 1500 bytes.

The sender has a bigger MTU (say 6000) and it sends increasingly
sized ping. No rocket science so far.

The result looks like this (so far I checked only one descriptor at
a time when a packet is received):

entry 000 opts1 0x3281c040 opts2 0x00000000 size 066
entry 001 opts1 0x3486c5ec opts2 0x00000000 size 1518
entry 002 opts1 0x3481c040 opts2 0x00000000 size 066
entry 003 opts1 0x3486c5ed opts2 0x00000000 size 1518
entry 004 opts1 0x3486c5ee opts2 0x00000000 size 1518
entry 005 opts1 0x3481c040 opts2 0x00000000 size 066
entry 006 opts1 0x3486c5ef opts2 0x00000000 size 1522
entry 007 opts1 0x3481c040 opts2 0x00000000 size 066
entry 008 opts1 0x3486c5f0 opts2 0x00000000 size 1522 <- first test packet
entry 009 opts1 0x3486c5f1 opts2 0x00000000 size 1522
entry 010 opts1 0x3486c5f2 opts2 0x00000000 size 1522
entry 011 opts1 0x3486c5f3 opts2 0x00000000 size 1526
entry 012 opts1 0x3486c5f4 opts2 0x00000000 size 1526
entry 013 opts1 0x3486c5f5 opts2 0x00000000 size 1526 <- ... so far so good
entry 014 opts1 0x3486c5f6 opts2 0x00000000 size 1526
entry 015 opts1 0x3486c5f7 opts2 0x00000000 size 1530
entry 016 opts1 0x3486c5f8 opts2 0x00000000 size 1530
entry 017 opts1 0x3486c5f9 opts2 0x00000000 size 1530
entry 018 opts1 0x3486c5fa opts2 0x00000000 size 1530
entry 019 opts1 0x3486c5fb opts2 0x00000000 size 1534
entry 020 opts1 0x3486c5fc opts2 0x00000000 size 1534
entry 021 opts1 0x3486c5fd opts2 0x00000000 size 1534
entry 022 opts1 0x3486c5fe opts2 0x00000000 size 1534
entry 023 opts1 0x3486c5ff opts2 0x00000000 size 1536
entry 024 opts1 0x20803ff0 opts2 0x00000000 size 1536 <- problem starts here.
entry 025 opts1 0x00803ff0 opts2 0x00000000 size 1536    The lines below are
entry 026 opts1 0x00803ff0 opts2 0x00000000 size 1536    not meaningful.
entry 027 opts1 0x00803ff0 opts2 0x00000000 size 1536

The driver will mess things up because it needs the desc->opts1.RxRes bit
to be set before it claims that the packet is broken. Since this condition
is not fulfilled when opts1 = 0x20803ff0, the problem goes unnoticed and
it can be further exploited.

AFAIUI, if the driver does not lose sync (to use the paper's words), i.e.
if it notices the condition above and stops / resets the chipset, there
is not much to exploit.

From: Francois Romieu <romieu@fr.zoreil.com>
Date: Thu, 7 Jan 2010 02:01:22 +0100

> entry 024 opts1 0x20803ff0 opts2 0x00000000 size 1536 <- problem starts here.
> entry 025 opts1 0x00803ff0 opts2 0x00000000 size 1536    The lines below are
> entry 026 opts1 0x00803ff0 opts2 0x00000000 size 1536    not meaningful.
> entry 027 opts1 0x00803ff0 opts2 0x00000000 size 1536
> 
> The driver will mess things up because it needs the desc->opts1.RxRes bit
> to be set before it claims that the packet is broken. Since this condition
> is not fulfilled when opts1 = 0x20803ff0, the problem goes unnoticed and
> it can be further exploited.
> 
> AFAIUI, if the driver does not lose sync (to use the paper's words), i.e.
> if it notices the condition above and stops / resets the chipset, there
> is not much to exploit.

Thanks for doing this test.

Also note the FirstFrag and LastFrag bits.  Here we see FirstFrag set,
and this indicates a fragmented frame.

The fix seems to be to simply check the error bits unconditionally, or
alternatively validate the FirstFrag and LastFrag bits
unconditionally.

I don't even think we need to reset the chip, just do what the code
does now and recycle the buffer back to the chip as we currently do
when RxRes is set.  We can keep a state bit around, showing that we
saw the beginning of a fragmented frame, and we recycle buffers back
to the chip when in state state until we see LastFrag.

That should work, right?

In your trace, we're merely seeing the >1536 frame being chopped
into a fragmented frame by the device.  The first one has FirstFrag
set and the remaining (that you've shown) have neither bit set.

Did you eventually get a descriptor with LastFrag (bit 28) set?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Wed, Jan 06, 2010 at 05:15:14PM -0800, David Miller wrote:
[...]
> I don't even think we need to reset the chip, just do what the code
> does now and recycle the buffer back to the chip as we currently do
> when RxRes is set.  We can keep a state bit around, showing that we
> saw the beginning of a fragmented frame, and we recycle buffers back
> to the chip when in state state until we see LastFrag.
> 
> That should work, right ?
> 
> In your trace, we're merely seeing the >1536 frame being chopped
> into a fragmented frame by the device.  The first one has FirstFrag
> set and the remaining (that you've shown) have neither bit set.
> 
> Did you eventually get a descriptor with LastFrag (bit 28) set?

Yes.

For a single packet, at the time the first interruption is received,
4 Rx descriptors have been written. The FirstFrag bit is set on the
first descriptor only and the LastFrag bit is not set anywhere :

entry 019 opts1 0x20803ff0 opts2 0x00000000 used 1536 <- FirstFrag
entry 020 opts1 0x00803ff0 opts2 0x00000000 used 1536
entry 021 opts1 0x00803ff0 opts2 0x00000000 used 1536
entry 022 opts1 0x00803ff0 opts2 0x00000000 used 1536
entry 023 opts1 0x80000600 opts2 0x00000000 used 1524
                                                 ^^^^
(apparently we race with the DMA transfer)

More events pop up, starting at 023. They are all identical to 20 / 21 /22.
It then ends as :

entry 028 opts1 0x00803ff0 opts2 0x00000000 used 1536
entry 029 opts1 0x10803ff0 opts2 0x00000000 used 1010 <- LastFrag bit set
entry 030 opts1 0x80000600 opts2 0x00000000 used 000  <- 0 used byte. Entry
entry 031 opts1 0x80000600 opts2 0x00000000 used 000     is available.
entry 032 opts1 0x80000600 opts2 0x00000000 used 000

The total size of the DMA is not far from 16384 bytes (1536 * 10 + 1010).

Simply recycling the buffer may work. I'll do a few tests with it : I am
still unable to corrupt the descriptor ring itself.

From: Francois Romieu <romieu@fr.zoreil.com>
Date: Sat, 9 Jan 2010 00:48:00 +0100

> For a single packet, at the time the first interruption is received,
> 4 Rx descriptors have been written. The FirstFrag bit is set on the
> first descriptor only and the LastFrag bit is not set anywhere :
> 
> entry 019 opts1 0x20803ff0 opts2 0x00000000 used 1536 <- FirstFrag
> entry 020 opts1 0x00803ff0 opts2 0x00000000 used 1536
> entry 021 opts1 0x00803ff0 opts2 0x00000000 used 1536
> entry 022 opts1 0x00803ff0 opts2 0x00000000 used 1536
> entry 023 opts1 0x80000600 opts2 0x00000000 used 1524
>                                                  ^^^^
> (apparently we race with the DMA transfer)
>
> More events pop up, starting at 023. They are all identical to 20 / 21 /22.
> It then ends as :
> 
> entry 028 opts1 0x00803ff0 opts2 0x00000000 used 1536
> entry 029 opts1 0x10803ff0 opts2 0x00000000 used 1010 <- LastFrag bit set
> entry 030 opts1 0x80000600 opts2 0x00000000 used 000  <- 0 used byte. Entry
> entry 031 opts1 0x80000600 opts2 0x00000000 used 000     is available.
> entry 032 opts1 0x80000600 opts2 0x00000000 used 000
> 
> The total size of the DMA is not far from 16384 bytes (1536 * 10 + 1010).

My guess is that once the chip starts filling out frags like this,
the signal to trigger what should be the LastFrag entry never
propagates to the DMA engine and thus the descriptor table.

Thus the device just keeps filling packet contents with subsequent
data, with FirstFrag and LastFrag clear, until that ~16K limit is
reached.  At which point it finally sets LastFrag.

> Simply recycling the buffer may work. I'll do a few tests with it : I am
> still unable to corrupt the descriptor ring itself.

Whilst the above will end up gobbling up to (16K - BIG_PACKET_SZ)
worth of innocent frames, the DMA engine seems to keep things at least
self-consistent.

The only bug seems to be the omission of the LastFrag trigger at the
proper place.

About recycling, as far as I can tell that's exactly what the driver
already does in these exact cases, right?  If RxRes is not set, and
we don't see both FirstFrag and LastFrag set, we'll recycle the frame.

		if (unlikely(status & RxRES)) {
 ...
		} else {
 ...
			if (unlikely(rtl8169_fragmented_frame(status))) {
				dev->stats.rx_dropped++;
				dev->stats.rx_length_errors++;
				rtl8169_mark_to_asic(desc, tp->rx_buf_sz);
				continue;
			}

Therefore we shouldn't need to change anything and there is actually
no "bug" or "exploit" at all.  We just end up dropping some RX frames
because the chip didn't DMA them properly.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Fri, 2010-01-08 at 16:02 -0800, David Miller wrote:
[...]
> Whilst the above will end up gobbling up to (16K - BIG_PACKET_SZ)
> worth of innocent frames, the DMA engine seems to keep things at least
> self-consistent.
> 
> The only bug seems to be the omission of the LastFrag trigger at the
> proper place.

No, the attacker controls the completion status by writing it in
previous valid frames.  Please read the slides
(<http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf> pages 80-87).

I suspect that:
1. There is an internal ring buffer for RX DMA containing both frame
payload and completion status
2. When a frame is (slightly?) over-length, the ingress and egress logic
can disagree about the length of payload in the buffer
3. This results in stale data (usually frame payload) being written to
memory as the completion status

It is conceivable that the bug can be avoided simply by rounding the 
RxMaxSize.

[...]
> Therefore we shouldn't need to change anything and there is actually
> no "bug" or "exploit" at all.  We just end up dropping some RX frames
> because the chip didn't DMA them properly.

The intent of the exploit is precisely to cause other packets to be
dropped!

Ben.

On Sun, Jan 10, 2010 at 01:57:18AM +0000, Ben Hutchings wrote:
> On Fri, 2010-01-08 at 16:02 -0800, David Miller wrote:
> [...]
> > Whilst the above will end up gobbling up to (16K - BIG_PACKET_SZ)
> > worth of innocent frames, the DMA engine seems to keep things at least
> > self-consistent.
> > 
> > The only bug seems to be the omission of the LastFrag trigger at the
> > proper place.
> 
> No, the attacker controls the completion status by writing it in
> previous valid frames.  Please read the slides
> (<http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf> pages 80-87).

Yes.

The paper suggests that it should be possible to control opts1
either completely or enough to break things badly.

The first packet does not hurt too much. Things look different in
the descriptor of the subsequent packets. I am more or less able
to control bits 8-23 from 0-31 in opts1, enough to be unpleasant.

Iff the FirstFrag and LastFrag bits can not be set on these packets,
it should be enough to (1) do the fragmented_frame test sooner and
return the descriptor to the chipset. Otherwise we can (2) take a
complete reset on the first suspect packet (whose pattern is more
specific) to stop the challenger here.

FWIW, a netratelimited printk of the source mac address may help too.

I am biased in favor of (2) as:
- it will not inhibit multi-desc packets
- the challenger is supposed to be in the LAN and can already hurt
  quite a lot anyway

Comments ?

From: Francois Romieu <romieu@fr.zoreil.com>
Date: Mon, 11 Jan 2010 00:50:17 +0100

> Iff the FirstFrag and LastFrag bits can not be set on these packets,
> it should be enough to (1) do the fragmented_frame test sooner and
> return the descriptor to the chipset. Otherwise we can (2) take a
> complete reset on the first suspect packet (whose pattern is more
> specific) to stop the challenger here.
> 
> FWIW, a netratelimited printk of the source mac address may help too.
> 
> I am biased in favor of (2) as:
> - it will not inhibit multi-desc packets
> - the challenger is supposed to be in the LAN and can already hurt
>   quite a lot anyway
> 
> Comments ?

In my opinion if you reset, you give them more power.

Instead of just dropping the next few frames, you allow them
to cause a drop of how ever many RX frames can arrive during
the reset period _PLUS_ the amount of other RX frames which
were in the receive ring at the point of detection.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Sun, Jan 10, 2010 at 10:45:04PM -0800, David Miller wrote:
[...]
> In my opinion if you reset, you give them more power.
> 
> Instead of just dropping the next few frames, you allow them
> to cause a drop of how ever many RX frames can arrive during
> the reset period _PLUS_ the amount of other RX frames which
> were in the receive ring at the point of detection.

Sure.

The fragmented frame test has been moved a few lines up, before checking
for the status bits. Exceedingly small frames are detected and dropped
as well.

I have spent the evening disrupting the communication. As a challenger
one does not even need complete control : send a few random packets and
the card goes to neverland. :o/

I'll do some tests limiting the crap at the first packet.

From: Francois Romieu <romieu@fr.zoreil.com>
Date: Tue, 12 Jan 2010 01:16:46 +0100

> I have spent the evening disrupting the communication. As a challenger
> one does not even need complete control : send a few random packets and
> the card goes to neverland. :o/
> 
> I'll do some tests limiting the crap at the first packet.

Thanks for doing this work Francois.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On 22:24 Mon 11 Jan 2010, David Miller wrote:
> From: Francois Romieu <romieu@fr.zoreil.com>
> Date: Tue, 12 Jan 2010 01:16:46 +0100
> 
> > I have spent the evening disrupting the communication. As a challenger
> > one does not even need complete control : send a few random packets and
> > the card goes to neverland. :o/
> > 
> > I'll do some tests limiting the crap at the first packet.
> 
> Thanks for doing this work Francois.

How is the testing going? 

Thanks again,

	Brandon
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Tue, Jan 12, 2010 at 01:16:46AM +0100, Francois Romieu wrote:
> On Sun, Jan 10, 2010 at 10:45:04PM -0800, David Miller wrote:
> [...]
> > In my opinion if you reset, you give them more power.
> > 
> > Instead of just dropping the next few frames, you allow them
> > to cause a drop of how ever many RX frames can arrive during
> > the reset period _PLUS_ the amount of other RX frames which
> > were in the receive ring at the point of detection.
> 
> Sure.
> 
> The fragmented frame test has been moved a few lines up, before checking
> for the status bits. Exceedingly small frames are detected and dropped
> as well.
> 
> I have spent the evening disrupting the communication. As a challenger
> one does not even need complete control : send a few random packets and
> the card goes to neverland. :o/
> 
> I'll do some tests limiting the crap at the first packet.
> 
Any further results you can share with us Francois?

Thanks
Neil
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On 16:50 Sat 30 Jan 2010, Neil Horman wrote:
> On Tue, Jan 12, 2010 at 01:16:46AM +0100, Francois Romieu wrote:
> > On Sun, Jan 10, 2010 at 10:45:04PM -0800, David Miller wrote:
> > [...]
> > > In my opinion if you reset, you give them more power.
> > > 
> > > Instead of just dropping the next few frames, you allow them
> > > to cause a drop of how ever many RX frames can arrive during
> > > the reset period _PLUS_ the amount of other RX frames which
> > > were in the receive ring at the point of detection.
> > 
> > Sure.
> > 
> > The fragmented frame test has been moved a few lines up, before checking
> > for the status bits. Exceedingly small frames are detected and dropped
> > as well.
> > 
> > I have spent the evening disrupting the communication. As a challenger
> > one does not even need complete control : send a few random packets and
> > the card goes to neverland. :o/
> > 
> > I'll do some tests limiting the crap at the first packet.
> > 
> Any further results you can share with us Francois?

Can I offer any help? I found that I have access to a Rev 0x10 card.

Cheers,

	Brandon
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html