From: Maxim Uvarov Date: Thu, 18 Oct 2012 17:43:58 +0000 (-0700) Subject: [net/sfc] limit number of segments per skb on tx X-Git-Tag: v2.6.39-400.9.0~224 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=fd3e4b5fa49ff35a0596a6bc2c19bb3fce66335e;p=users%2Fjedix%2Flinux-maple.git [net/sfc] limit number of segments per skb on tx Orabug: 14769994 This fixes: CVE-2012-3412 The kernels have 5b6262d0ccf759a16fabe11d904a2531125a4b71 (sfc: Replace some literal constants with EFX_PAGE_SIZE/EFX_BUF_SIZE) and 7e6d06f0de3f74ca929441add094518ae332257c (sfc: Fix maximum number of TSO segments and minimum TX queue size) from upstream but the upstream version relies on the TCP layer limiting the maximum number of GSO segments which isn't in UEK. 30b678d844af3305cda5953467005cebb5d7b687 (net: Allow driver to limit number of GSO segments per skb) provided this in mainline. Instead of modifing network stack we fix add additional check to efx_enqueue_skb_tso(). Signed-off-by: Maxim Uvarov --- diff --git a/drivers/net/sfc/tx.c b/drivers/net/sfc/tx.c index 6d3b68a8478c..aa51c0957113 100644 --- a/drivers/net/sfc/tx.c +++ b/drivers/net/sfc/tx.c @@ -1132,6 +1132,21 @@ static int efx_enqueue_skb_tso(struct efx_tx_queue *tx_queue, int frag_i, rc, rc2 = NETDEV_TX_OK; struct tso_state state; + /* Since the stack does not limit the number of segments per + * skb, we must do so. Otherwise an attacker may be able to + * make the TCP produce skbs that will never fit in our TX + * queue, causing repeated resets. + */ + if (unlikely(skb_shinfo(skb)->gso_segs > EFX_TSO_MAX_SEGS)) { + unsigned int excess = + (skb_shinfo(skb)->gso_segs - EFX_TSO_MAX_SEGS) * + skb_shinfo(skb)->gso_size; + if (__pskb_trim(skb, skb->len - excess)) { + dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + } + /* Find the packet protocol and sanity-check it */ state.protocol = efx_tso_check_protocol(skb);