[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 7/7] xen-netback: don't disconnect frontend when seeing oversize packet

To: <netdev@xxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>
From: Wei Liu <wei.liu2@xxxxxxxxxx>
Date: Tue, 9 Apr 2013 12:07:35 +0100
Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, ian.campbell@xxxxxxxxxx, konrad.wilk@xxxxxxxxxx, annie.li@xxxxxxxxxx, wdauchy@xxxxxxxxx, david.vrabel@xxxxxxxxxx
Delivery-date: Tue, 09 Apr 2013 11:31:18 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Some frontend drivers are sending packets > 64 KiB in length. This length
overflows the length field in the first slot making the following slots have
an invalid length ("Packet is bigger than frame").

Turn this error back into a non-fatal error by dropping the packet. To avoid
having the following slots having fatal errors, consume all slots in the
packet.

This does not reopen the security hole in XSA-39 as if the packet as an
invalid number of slots it will still hit fatal error case.

Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx>
Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
---
 drivers/net/xen-netback/netback.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/net/xen-netback/netback.c 
b/drivers/net/xen-netback/netback.c
index 3490b2c..acd057b 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -986,10 +986,21 @@ static int netbk_count_requests(struct xenvif *vif,
 
                memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
                       sizeof(*txp));
-               if (txp->size > first->size) {
-                       netdev_err(vif->dev, "Packet is bigger than frame.\n");
-                       netbk_fatal_tx_err(vif);
-                       return -EIO;
+
+               /* If the guest submitted a frame >= 64 KiB then
+                * first->size overflowed and following slots will
+                * appear to be larger than the frame.
+                *
+                * This cannot be fatal error as there are buggy
+                * frontends that do this.
+                *
+                * Consume all slots and drop the packet.
+                */
+               if (!drop_err && txp->size > first->size) {
+                       if (net_ratelimit())
+                               netdev_dbg(vif->dev,
+                                          "Packet is bigger than frame.\n");
+                       drop_err = -EIO;
                }
 
                first->size -= txp->size;
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 7/7] xen-netback: don't disconnect frontend when seeing oversize packet
  - From: David Laight

References:
- [Xen-devel] [PATCH V3 0/7] Bundle fixes for Xen netfront / netback
  - From: Wei Liu

Prev by Date: [Xen-devel] [PATCH 2/7] xen-netfront: frags -> slots in xennet_get_responses
Next by Date: Re: [Xen-devel] Consequence of FLushing TLB with IRQ Enable
Previous by thread: [Xen-devel] [PATCH 2/7] xen-netfront: frags -> slots in xennet_get_responses
Next by thread: Re: [Xen-devel] [PATCH 7/7] xen-netback: don't disconnect frontend when seeing oversize packet
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.