Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

From: Sabrina Dubroca
Date: Tue Apr 25 2017 - 11:19:34 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.10 10/24] mmc: dw_mmc: silent verbose log when calling from PM context"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 09/21] s390/mm: fix CMMA vs KSM vs others"
In reply to: Jason A. Donenfeld: "Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec"
Next in thread: Jason A. Donenfeld: "Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2017-04-25, 17:08:28 +0200, Jason A. Donenfeld wrote:
> Hi Sabrina,
>
> On Tue, Apr 25, 2017 at 4:53 PM, Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> wrote:
> > Ugh, good catch :/
> >
> > AFAICT this patch doesn't really help, because NETIF_F_FRAGLIST
> > doesn't get tested in paths that can lead to triggering this.
>
> You're right. This fixes the xmit() path, but not the receive path,
> which appears to take skbs directly from the upper device.
>
> > I'll post a patch to allocate a properly-sized sg array.
>
> I just posted this series, which should fix things in a robust way:
>
> https://patchwork.ozlabs.org/patch/754861/

Yes, that prevents the overflow, but now you're just dropping
packets. I'll review that later, let's fix the overflow without
breaking connectivity for now.

--
Sabrina

Next message: Greg Kroah-Hartman: "[PATCH 4.10 10/24] mmc: dw_mmc: silent verbose log when calling from PM context"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 09/21] s390/mm: fix CMMA vs KSM vs others"
In reply to: Jason A. Donenfeld: "Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec"
Next in thread: Jason A. Donenfeld: "Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]