Gitweb:
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e7c243c925f6d9dcb898504ff24d6650b5cbb3b1
Commit: e7c243c925f6d9dcb898504ff24d6650b5cbb3b1
Parent: 7c8347a91dbbb723d8ed106ec817dabac97f2bbc
Author: Evgeniy Polyakov <[EMAIL PROTECTED]>
AuthorDate: Fri Aug 24 23:36:29 2007 -0700
Committer: David S. Miller <[EMAIL PROTECTED]>
CommitDate: Sun Aug 26 18:35:47 2007 -0700
[VLAN/BRIDGE]: Fix "skb_pull_rcsum - Fatal exception in interrupt"
I tried to preserve bridging code as it was before, but logic is quite
strange - I think we should free skb on error, since it is already
unshared and thus will just leak.
Herbert Xu states:
> + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
> + goto out;
If this happens it'll be a double-free on skb since we'll
return NF_DROP which makes the caller free it too.
We could return NF_STOLEN to prevent that but I'm not sure
whether that's correct netfilter semantics. Patrick, could
you please make a call on this?
Patrick McHardy states:
NF_STOLEN should work fine here.
Signed-off-by: Evgeniy Polyakov <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
net/8021q/vlan_dev.c | 12 +++++++++++-
net/bridge/br_netfilter.c | 12 +++++++-----
2 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 4bab322..328759c 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device
*dev,
struct packet_type* ptype, struct net_device *orig_dev)
{
unsigned char *rawp = NULL;
- struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data);
+ struct vlan_hdr *vhdr;
unsigned short vid;
struct net_device_stats *stats;
unsigned short vlan_TCI;
__be16 proto;
+ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
+ return -1;
+
+ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) {
+ kfree_skb(skb);
+ return -1;
+ }
+
+ vhdr = (struct vlan_hdr *)(skb->data);
+
/* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
vlan_TCI = ntohs(vhdr->h_vlan_TCI);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index fa77987..3ee2022 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -509,8 +509,14 @@ static unsigned int br_nf_pre_routing(unsigned int hook,
struct sk_buff **pskb,
int (*okfn)(struct sk_buff *))
{
struct iphdr *iph;
- __u32 len;
struct sk_buff *skb = *pskb;
+ __u32 len = nf_bridge_encap_header_len(skb);
+
+ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
+ return NF_STOLEN;
+
+ if (unlikely(!pskb_may_pull(skb, len)))
+ goto out;
if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
IS_PPPOE_IPV6(skb)) {
@@ -518,8 +524,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook,
struct sk_buff **pskb,
if (!brnf_call_ip6tables)
return NF_ACCEPT;
#endif
- if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
- goto out;
nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
}
@@ -532,8 +536,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook,
struct sk_buff **pskb,
!IS_PPPOE_IP(skb))
return NF_ACCEPT;
- if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
- goto out;
nf_bridge_pull_encap_header_rcsum(skb);
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
