Commit 7a57c268 authored by Eric Dumazet's avatar Eric Dumazet Committed by Ben Hutchings

packet: handle too big packets for PACKET_V3

commit dc808110 upstream.

af_packet can currently overwrite kernel memory by out of bound
accesses, because it assumed a [new] block can always hold one frame.

This is not generally the case, even if most existing tools do it right.

This patch clamps too long frames as API permits, and issue a one time
error on syslog.

[  394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82

In this example, packet header tp_snaplen was set to 3966,
and tp_len was set to 5042 (skb->len)
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Acked-by: default avatarDaniel Borkmann <dborkman@redhat.com>
Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent c2e7959f
...@@ -195,6 +195,7 @@ struct tpacket_kbdq_core { ...@@ -195,6 +195,7 @@ struct tpacket_kbdq_core {
char *pkblk_start; char *pkblk_start;
char *pkblk_end; char *pkblk_end;
int kblk_size; int kblk_size;
unsigned int max_frame_len;
unsigned int knum_blocks; unsigned int knum_blocks;
uint64_t knxt_seq_num; uint64_t knxt_seq_num;
char *prev; char *prev;
...@@ -616,6 +617,7 @@ static void init_prb_bdqc(struct packet_sock *po, ...@@ -616,6 +617,7 @@ static void init_prb_bdqc(struct packet_sock *po,
p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov); p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov);
p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv; p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv;
p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv);
prb_init_ft_ops(p1, req_u); prb_init_ft_ops(p1, req_u);
prb_setup_retire_blk_timer(po, tx_ring); prb_setup_retire_blk_timer(po, tx_ring);
prb_open_block(p1, pbd); prb_open_block(p1, pbd);
...@@ -1775,6 +1777,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, ...@@ -1775,6 +1777,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
if ((int)snaplen < 0) if ((int)snaplen < 0)
snaplen = 0; snaplen = 0;
} }
} else if (unlikely(macoff + snaplen >
GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
u32 nval;
nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff;
pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n",
snaplen, nval, macoff);
snaplen = nval;
if (unlikely((int)snaplen < 0)) {
snaplen = 0;
macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
}
} }
spin_lock(&sk->sk_receive_queue.lock); spin_lock(&sk->sk_receive_queue.lock);
h.raw = packet_current_rx_frame(po, skb, h.raw = packet_current_rx_frame(po, skb,
...@@ -3622,6 +3636,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, ...@@ -3622,6 +3636,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
goto out; goto out;
if (unlikely(req->tp_block_size & (PAGE_SIZE - 1))) if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
goto out; goto out;
if (po->tp_version >= TPACKET_V3 &&
(int)(req->tp_block_size -
BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
goto out;
if (unlikely(req->tp_frame_size < po->tp_hdrlen + if (unlikely(req->tp_frame_size < po->tp_hdrlen +
po->tp_reserve)) po->tp_reserve))
goto out; goto out;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment