This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] [patch] bridge netfilter bug

To: netdev@xxxxxxxxxxxxxxx
Subject: [Xen-devel] [patch] bridge netfilter bug
From: Gerd Hoffmann <kraxel@xxxxxxx>
Date: Fri, 18 Aug 2006 10:23:35 +0200
Cc: Xen devel list <xen-devel@xxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxxxx>
Delivery-date: Fri, 18 Aug 2006 01:24:33 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird (X11/20060725)

The bridging code copies 16 bytes unconditionally, where as the ethernet
header is 14 bytes only.  In most cases it works ok nevertheless due to
NET_IP_ALIGN, sometimes it doesn't though.  Fix is attached below.

please apply,


Gerd Hoffmann <kraxel@xxxxxxx>
Subject: nf_bridge: ethernet header is 14 not 16 bytes
From: jbeulich@xxxxxxxxxx
Acked-by: kraxel@xxxxxxx
References: 150410

The bridge netfilter code saves two more bytes that it should.
In most cases it doesn't hurt because many drivers use NET_IP_ALIGN
to make the IP header aligned, so there are two extra bytes head room

Some drivers don't do that though (sky2 for example), so copying
accesses data outside the skbuff data allocation.  On xen kernels
this can kill the machine with a page fault due to the way how
skbuffs are allocated and the memory is managed.

 include/linux/netfilter_bridge.h |    2 +-
 net/bridge/br_netfilter.c        |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.17.orig/include/linux/netfilter_bridge.h
+++ linux-2.6.17/include/linux/netfilter_bridge.h
@@ -57,7 +57,7 @@ void nf_bridge_maybe_copy_header(struct 
                        memcpy(skb->data - 18, skb->nf_bridge->data, 18);
                        skb_push(skb, 4);
                } else
-                       memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+                       memcpy(skb->data - 14, skb->nf_bridge->data, 14);
--- linux-2.6.17.orig/net/bridge/br_netfilter.c
+++ linux-2.6.17/net/bridge/br_netfilter.c
@@ -124,7 +124,7 @@ static inline struct nf_bridge_info *nf_
 static inline void nf_bridge_save_header(struct sk_buff *skb)
-        int header_size = 16;
+        int header_size = 14;
        if (skb->protocol == htons(ETH_P_8021Q))
                header_size = 18;
Xen-devel mailing list
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] [patch] bridge netfilter bug, Gerd Hoffmann <=