diff options
author | Eugene Crosser <Eugene.Crosser@ru.ibm.com> | 2015-12-11 12:27:51 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-12-14 22:16:44 +0100 |
commit | 979f66b32dbbf928635dbf44fd9843d27c4ed8f9 (patch) | |
tree | aff4410b8326506c1fcf85bf4e90a8ee37f1e974 /net/iucv | |
parent | iucv: prevent information leak in iucv_message (diff) | |
download | linux-979f66b32dbbf928635dbf44fd9843d27c4ed8f9.tar.xz linux-979f66b32dbbf928635dbf44fd9843d27c4ed8f9.zip |
iucv: call skb_linearize() when needed
When the linear buffer of the received sk_buff is shorter than
the header, use skb_linearize(). sk_buffs with short linear buffer
happen on the sending side under high traffic, and some kernel
configurations, when allocated buffer starts just before page
boundary, and IUCV transport has to send it as two separate QDIO
buffer elements, with fist element shorter than the header.
Signed-off-by: Eugene Crosser <Eugene.Crosser@ru.ibm.com>
Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/iucv')
-rw-r--r-- | net/iucv/af_iucv.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index 5bc473b01a00..ef50a94d3eb7 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -2084,11 +2084,7 @@ static int afiucv_hs_callback_rx(struct sock *sk, struct sk_buff *skb) return NET_RX_SUCCESS; } - /* write stuff from iucv_msg to skb cb */ - if (skb->len < sizeof(struct af_iucv_trans_hdr)) { - kfree_skb(skb); - return NET_RX_SUCCESS; - } + /* write stuff from iucv_msg to skb cb */ skb_pull(skb, sizeof(struct af_iucv_trans_hdr)); skb_reset_transport_header(skb); skb_reset_network_header(skb); @@ -2119,6 +2115,20 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev, char nullstring[8]; int err = 0; + if (skb->len < (ETH_HLEN + sizeof(struct af_iucv_trans_hdr))) { + WARN_ONCE(1, "AF_IUCV too short skb, len=%d, min=%d", + (int)skb->len, + (int)(ETH_HLEN + sizeof(struct af_iucv_trans_hdr))); + kfree_skb(skb); + return NET_RX_SUCCESS; + } + if (skb_headlen(skb) < (ETH_HLEN + sizeof(struct af_iucv_trans_hdr))) + if (skb_linearize(skb)) { + WARN_ONCE(1, "AF_IUCV skb_linearize failed, len=%d", + (int)skb->len); + kfree_skb(skb); + return NET_RX_SUCCESS; + } skb_pull(skb, ETH_HLEN); trans_hdr = (struct af_iucv_trans_hdr *)skb->data; EBCASC(trans_hdr->destAppName, sizeof(trans_hdr->destAppName)); |