diff mbox

APPLIED: [CVE-2011-1576] core: Fix memory leak/corruption on VLAN GRO_DROP

Message ID 4EDF9B1D.2080500@canonical.com
State New
Headers show

Commit Message

Stefan Bader Dec. 7, 2011, 4:58 p.m. UTC
Thats the alternate patch
diff mbox


From dfba10cbc524968ee7eddb551a74fb0608b0af1c Mon Sep 17 00:00:00 2001
From: Benjamin Poirier <bpoirier@suse.de>
Date: Wed, 30 Nov 2011 07:47:18 -0500
Subject: [PATCH 1/2] gro: reset vlan_tci on reuse

This one liner is part of upstream
commit 3701e51382a026cba10c60b03efabe534fba4ca4
Author: Jesse Gross <jesse@nicira.com>

    vlan: Centralize handling of hardware acceleration.

The bulk of that commit is a rework of the hardware assisted vlan tagging
driver interface, and as such doesn't classify for -stable inclusion. The fix
that is needed is a part of that commit but can work independently of the

This patch can avoid panics on the 2.6.32.y -stable kernels and is in the same
spirit as mainline commits
66c46d7 gro: Reset dev pointer on reuse
6d152e2 gro: reset skb_iif on reuse
which are already in -stable.

For drivers using the vlan_gro_frags() interface, a packet with an invalid tci
leads to GRO_DROP and napi_reuse_skb(). The skb has to be sanitized before
being reused or we may send an skb with an invalid vlan_tci field up the stack
where it is not expected.

Signed-off-by: Benjamin Poirier <bpoirier@suse.de>
Cc: Jesse Gross <jesse@nicira.com>
Acked-by: David S. Miller <davem@davemloft.net>

(picked with minor fuzz from the 2.6.32 longterm queue)
BugLink: http://bugs.launchpad.net/bugs/844361
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 net/core/dev.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 52ec7f4..f61bf98 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3231,6 +3231,7 @@  void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb)
 	__skb_pull(skb, skb_headlen(skb));
 	skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb));
+	skb->vlan_tci = 0;
 	skb->dev = napi->dev;
 	skb->skb_iif = 0;