From dfba10cbc524968ee7eddb551a74fb0608b0af1c Mon Sep 17 00:00:00 2001
From: Benjamin Poirier <bpoirier@suse.de>
Date: Wed, 30 Nov 2011 07:47:18 -0500
Subject: [PATCH 1/2] gro: reset vlan_tci on reuse
This one liner is part of upstream
commit 3701e51382a026cba10c60b03efabe534fba4ca4
Author: Jesse Gross <jesse@nicira.com>
vlan: Centralize handling of hardware acceleration.
The bulk of that commit is a rework of the hardware assisted vlan tagging
driver interface, and as such doesn't classify for -stable inclusion. The fix
that is needed is a part of that commit but can work independently of the
rest.
This patch can avoid panics on the 2.6.32.y -stable kernels and is in the same
spirit as mainline commits
66c46d7 gro: Reset dev pointer on reuse
6d152e2 gro: reset skb_iif on reuse
which are already in -stable.
For drivers using the vlan_gro_frags() interface, a packet with an invalid tci
leads to GRO_DROP and napi_reuse_skb(). The skb has to be sanitized before
being reused or we may send an skb with an invalid vlan_tci field up the stack
where it is not expected.
Signed-off-by: Benjamin Poirier <bpoirier@suse.de>
Cc: Jesse Gross <jesse@nicira.com>
Acked-by: David S. Miller <davem@davemloft.net>
(picked with minor fuzz from the 2.6.32 longterm queue)
CVE-2011-1576
BugLink: http://bugs.launchpad.net/bugs/844361
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
net/core/dev.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
@@ -3231,6 +3231,7 @@ void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb)
{
__skb_pull(skb, skb_headlen(skb));
skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb));
+ skb->vlan_tci = 0;
skb->dev = napi->dev;
skb->skb_iif = 0;
--
1.7.5.4