Skip to content

K
Kernel

openeuler / Kernel
1 年多 前同步成功

通知 8
Star 0
Fork 0
K
Kernel
提交 4e704ee3 编写于 作者: H Herbert Xu 提交者: David S. Miller
浏览文件
操作

gso: Ensure that the packet is long enough 

When we get a GSO packet from an untrusted source, we need to
ensure that it is sufficiently long so that we don't end up
crashing.

Based on discovery and patch by Ian Campbell.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Tested-by: NIan Campbell <ian.campbell@citrix.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 f5572068
隐藏空白更改
内联 并排
Showing with 7 addition and 6 deletion
net/ipv4/tcp.c
浏览文件 @ 4e704ee3
...@@ -2389,7 +2389,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) ...@@ -2389,7 +2389,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
unsigned int seq; unsigned int seq;
__be32 delta; __be32 delta;
unsigned int oldlen; unsigned int oldlen;
unsigned int len; unsigned int mss;
if (!pskb_may_pull(skb, sizeof(*th))) if (!pskb_may_pull(skb, sizeof(*th)))
goto out; goto out;
...@@ -2405,10 +2405,13 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) ...@@ -2405,10 +2405,13 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
oldlen = (u16)~skb->len; oldlen = (u16)~skb->len;
__skb_pull(skb, thlen); __skb_pull(skb, thlen);
mss = skb_shinfo(skb)->gso_size;
if (unlikely(skb->len <= mss))
goto out;
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) { if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
/* Packet is from an untrusted source, reset gso_segs. */ /* Packet is from an untrusted source, reset gso_segs. */
int type = skb_shinfo(skb)->gso_type; int type = skb_shinfo(skb)->gso_type;
int mss;
if (unlikely(type & if (unlikely(type &
~(SKB_GSO_TCPV4 | ~(SKB_GSO_TCPV4 |
...@@ -2419,7 +2422,6 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) ...@@ -2419,7 +2422,6 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
!(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))) !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
goto out; goto out;
mss = skb_shinfo(skb)->gso_size;
skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss); skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
segs = NULL; segs = NULL;
...@@ -2430,8 +2432,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) ...@@ -2430,8 +2432,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
if (IS_ERR(segs)) if (IS_ERR(segs))
goto out; goto out;
len = skb_shinfo(skb)->gso_size; delta = htonl(oldlen + (thlen + mss));
delta = htonl(oldlen + (thlen + len));
skb = segs; skb = segs;
th = tcp_hdr(skb); th = tcp_hdr(skb);
...@@ -2447,7 +2448,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) ...@@ -2447,7 +2448,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
csum_fold(csum_partial(skb_transport_header(skb), csum_fold(csum_partial(skb_transport_header(skb),
thlen, skb->csum)); thlen, skb->csum));
seq += len; seq += mss;
skb = skb->next; skb = skb->next;
th = tcp_hdr(skb); th = tcp_hdr(skb);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册