leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
202a0a70e4
linux/drivers/net
History
Andy Spencer 202a0a70e4 gianfar: prevent integer wrapping in the rx handler 
When the frame check sequence (FCS) is split across the last two frames
of a fragmented packet, part of the FCS gets counted twice, once when
subtracting the FCS, and again when subtracting the previously received
data.

For example, if 1602 bytes are received, and the first fragment contains
the first 1600 bytes (including the first two bytes of the FCS), and the
second fragment contains the last two bytes of the FCS:

  'skb->len == 1600' from the first fragment

  size  = lstatus & BD_LENGTH_MASK; # 1602
  size -= ETH_FCS_LEN;              # 1598
  size -= skb->len;                 # -2

Since the size is unsigned, it wraps around and causes a BUG later in
the packet handling, as shown below:

  kernel BUG at ./include/linux/skbuff.h:2068!
  Oops: Exception in kernel mode, sig: 5 []
  ...
  NIP [c021ec60] skb_pull+0x24/0x44
  LR [c01e2fbc] gfar_clean_rx_ring+0x498/0x690
  Call Trace:
  [df7edeb0] [c01e2c1c] gfar_clean_rx_ring+0xf8/0x690 (unreliable)
  [df7edf20] [c01e33a8] gfar_poll_rx_sq+0x3c/0x9c
  [df7edf40] [c023352c] net_rx_action+0x21c/0x274
  [df7edf90] [c0329000] __do_softirq+0xd8/0x240
  [df7edff0] [c000c108] call_do_irq+0x24/0x3c
  [c0597e90] [c00041dc] do_IRQ+0x64/0xc4
  [c0597eb0] [c000d920] ret_from_except+0x0/0x18
  --- interrupt: 501 at arch_cpu_idle+0x24/0x5c

Change the size to a signed integer and then trim off any part of the
FCS that was received prior to the last fragment.

Fixes: 6c389fc931 ("gianfar: fix size of scatter-gathered frames")
Signed-off-by: Andy Spencer <aspencer@spacex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-29 14:17:09 -05:00
..
appletalk
arcnet
bonding
caif net: caif: remove redundant re-assignment of pointer pfrm 2018-01-22 10:51:56 -05:00
can can: migrate documentation to restructured text 2018-01-26 10:46:44 +01:00
cris
dsa net: dsa: mv88e6xxx: Free ATU/VTU irq only when there is chip irq 2018-01-19 15:57:02 -05:00
ethernet gianfar: prevent integer wrapping in the rx handler 2018-01-29 14:17:09 -05:00
fddi
fjes
hamradio
hippi
hyperv hv_netvsc: Use the num_online_cpus() for channel limit 2018-01-22 16:24:08 -05:00
ieee802154
ipvlan
netdevsim netdevsim: use tc_cls_can_offload_and_chain0() 2018-01-25 21:23:08 -05:00
phy net: phy: sfp: Fix kernel doc warning 2018-01-23 11:06:50 -05:00
plip
ppp pppoe: take ->needed_headroom of lower device into account on xmit 2018-01-23 19:44:44 -05:00
slip
team
usb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-23 13:51:56 -05:00
vmxnet3 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-24 23:44:15 -05:00
wan
wimax
wireless wireless-drivers-next patches for 4.16 2018-01-28 22:00:16 -05:00
xen-netback
dummy.c
eql.c
geneve.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-29 10:15:51 -05:00
gtp.c
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macsec.c macsec: restore uAPI after addition of GCM-AES-256 2018-01-22 15:40:16 -05:00
macvlan.c
macvtap.c
Makefile
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c tap: fix use-after-free 2018-01-29 12:02:53 -05:00
thunderbolt.c
tun.c tun: avoid calling xdp_rxq_info_unreg() twice 2018-01-22 16:55:18 -05:00
veth.c
virtio_net.c virtio_net: Add ethtool stats 2018-01-22 15:25:37 -05:00
vrf.c net: vrf: Add support for sends to local broadcast address 2018-01-25 21:51:03 -05:00
vsockmon.c
vxlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-29 10:15:51 -05:00
xen-netfront.c xen-netfront: enable device after manual module load 2018-01-08 14:17:03 -05:00