Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

From: Sabrina Dubroca
Date: Tue Apr 25 2017 - 11:19:34 EST


2017-04-25, 17:08:28 +0200, Jason A. Donenfeld wrote:
> Hi Sabrina,
>
> On Tue, Apr 25, 2017 at 4:53 PM, Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> wrote:
> > Ugh, good catch :/
> >
> > AFAICT this patch doesn't really help, because NETIF_F_FRAGLIST
> > doesn't get tested in paths that can lead to triggering this.
>
> You're right. This fixes the xmit() path, but not the receive path,
> which appears to take skbs directly from the upper device.
>
> > I'll post a patch to allocate a properly-sized sg array.
>
> I just posted this series, which should fix things in a robust way:
>
> https://patchwork.ozlabs.org/patch/754861/

Yes, that prevents the overflow, but now you're just dropping
packets. I'll review that later, let's fix the overflow without
breaking connectivity for now.

--
Sabrina