Skip to content

Commit edbd58b

Browse files
gobenjidavem330
authored andcommitted
packet: Don't write vnet header beyond end of buffer
... which may happen with certain values of tp_reserve and maclen. Fixes: 58d19b1 ("packet: vnet_hdr support for tpacket_rcv") Signed-off-by: Benjamin Poirier <bpoirier@suse.com> Cc: Willem de Bruijn <willemb@google.com> Acked-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent d55c60e commit edbd58b

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

Diff for: net/packet/af_packet.c

+9-3
Original file line numberDiff line numberDiff line change
@@ -2191,6 +2191,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
21912191
struct timespec ts;
21922192
__u32 ts_status;
21932193
bool is_drop_n_account = false;
2194+
bool do_vnet = false;
21942195

21952196
/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
21962197
* We may add members to them until current aligned size without forcing
@@ -2241,8 +2242,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
22412242
netoff = TPACKET_ALIGN(po->tp_hdrlen +
22422243
(maclen < 16 ? 16 : maclen)) +
22432244
po->tp_reserve;
2244-
if (po->has_vnet_hdr)
2245+
if (po->has_vnet_hdr) {
22452246
netoff += sizeof(struct virtio_net_hdr);
2247+
do_vnet = true;
2248+
}
22462249
macoff = netoff - maclen;
22472250
}
22482251
if (po->tp_version <= TPACKET_V2) {
@@ -2259,8 +2262,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
22592262
skb_set_owner_r(copy_skb, sk);
22602263
}
22612264
snaplen = po->rx_ring.frame_size - macoff;
2262-
if ((int)snaplen < 0)
2265+
if ((int)snaplen < 0) {
22632266
snaplen = 0;
2267+
do_vnet = false;
2268+
}
22642269
}
22652270
} else if (unlikely(macoff + snaplen >
22662271
GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
@@ -2273,6 +2278,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
22732278
if (unlikely((int)snaplen < 0)) {
22742279
snaplen = 0;
22752280
macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
2281+
do_vnet = false;
22762282
}
22772283
}
22782284
spin_lock(&sk->sk_receive_queue.lock);
@@ -2298,7 +2304,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
22982304
}
22992305
spin_unlock(&sk->sk_receive_queue.lock);
23002306

2301-
if (po->has_vnet_hdr) {
2307+
if (do_vnet) {
23022308
if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
23032309
sizeof(struct virtio_net_hdr),
23042310
vio_le(), true)) {

0 commit comments

Comments
 (0)