Re: [Socketcan-users] [PATCH 1/2] can/gw: Routed messages need valid skb->sk

Mon, 06 Dec 2010 08:18:57 -0800 

On 06.12.2010 14:06, Michal Sojka wrote:

> skb->sk is used in dev_pick_tx() which is called from dev_queue_xmit(). If
> sk points to an arbitrary magic value, dev_pick_tx() returns a wrong value,
> which can lead to various memory corruption bugs.
> 
> In commit a4ee3ce3293dc931fab19beb472a8bde1295aebe dev_pick_tx() was
> changed  to look the new field in socket called sk_tx_queue_mapping.

Hello Michal,

thanks for tracking down this issue. Indeed this problem was not visible on my
x86 box and of course not on the 2.6.28.10 mpc5200 system ;-)

Defining a struct sock to create a unique address for the routing detection is
a good idea and it allows to satisfy dev_pick_tx() additionally.

I'll apply your patch to the SVN.

Tnx,
Oliver


> ---
>  net/can/gw.c |   11 ++++++++---
>  1 files changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/net/can/gw.c b/net/can/gw.c
> index 3e9fd3e..d21b678 100644
> --- a/net/can/gw.c
> +++ b/net/can/gw.c
> @@ -58,6 +58,7 @@
>  #include <socketcan/can/gw.h>
>  #include <net/rtnetlink.h>
>  #include <net/net_namespace.h>
> +#include <net/sock.h>
>  
>  #define CAN_GW_VERSION "20101205"
>  static __initdata const char banner[] =
> @@ -73,7 +74,11 @@ static struct notifier_block notifier;
>  
>  static struct kmem_cache *cgw_cache __read_mostly;
>  
> -#define CGW_SK_MAGIC ((void *)(&notifier))
> +static struct sock gw_dummy_sk = {
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,33)
> +     .sk_tx_queue_mapping = -1,
> +#endif
> +};
>  
>  /* structure that contains the (on-the-fly) CAN frame modifications */
>  struct cf_mod {
> @@ -343,7 +348,7 @@ static void can_can_gw_rcv(struct sk_buff *skb, void 
> *data)
>       int modidx = 0;
>  
>       /* do not handle already routed frames */
> -     if (skb->sk == CGW_SK_MAGIC)
> +     if (skb->sk == &gw_dummy_sk)
>               return;
>  
>       if (!(gwj->dst.dev->flags & IFF_UP)) {
> @@ -368,7 +373,7 @@ static void can_can_gw_rcv(struct sk_buff *skb, void 
> *data)
>       }
>  
>       /* mark routed frames with a 'special' sk value */
> -     nskb->sk = CGW_SK_MAGIC;
> +     nskb->sk = &gw_dummy_sk;
>       nskb->dev = gwj->dst.dev;
>  
>       /* pointer to modifiable CAN frame */

_______________________________________________
Socketcan-users mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/socketcan-users

Reply via email to