Sowmini points out two vulnerabilities in xen-netfront:
a) The code assumes that skb->len is at least ETH_HLEN.
b) The code assumes that at least ETH_HLEN octets are in the linear
port of the socket buffer.
This patch adds tests for both of these, and in the case of the latter
pulls sufficient bytes into the linear area.
Signed-off-by: Paul Durrant <paul.durr...@citrix.com>
Reported-by: Sowmini Varadhan <sowmini.varad...@oracle.com>
Tested-by: Sowmini Varadhan <sowmini.varad...@oracle.com>
---
Cc: Boris Ostrovsky <boris.ostrov...@oracle.com>
Cc: Juergen Gross <jgr...@suse.com>
---
drivers/net/xen-netfront.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 40f26b6..0478809 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -567,6 +567,10 @@ static int xennet_start_xmit(struct sk_buff *skb, struct
net_device *dev)
u16 queue_index;
struct sk_buff *nskb;
+ /* Basic sanity check */
+ if (unlikely(skb->len < ETH_HLEN))
+ goto drop;
+
/* Drop the packet if no queues are set up */
if (num_queues < 1)
goto drop;
@@ -609,6 +613,11 @@ static int xennet_start_xmit(struct sk_buff *skb, struct
net_device *dev)
}
len = skb_headlen(skb);
+ if (unlikely(len < ETH_HLEN)) {
+ if (!__pskb_pull_tail(skb, ETH_HLEN - len))
+ goto drop;
+ len = ETH_HLEN;
+ }
spin_lock_irqsave(&queue->tx_lock, flags);
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
