[BRIDGE] netfilter: memory corruption fix
authorStephen Hemminger <shemminger@osdl.org>
Sun, 27 Aug 2006 03:28:30 +0000 (20:28 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sun, 27 Aug 2006 03:28:30 +0000 (20:28 -0700)
The bridge-netfilter code will overwrite memory if there is not
headroom in the skb to save the header.  This first showed up when
using Xen with sky2 driver that doesn't allocate the extra space.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/netfilter_bridge.h
net/bridge/br_forward.c

index 10c13dc4665b7add3c2e5a78143cc2c4a4257619..427c67ff89e98196498a9f85982699b11b2cd777 100644 (file)
@@ -48,15 +48,25 @@ enum nf_br_hook_priorities {
 
 /* Only used in br_forward.c */
 static inline
-void nf_bridge_maybe_copy_header(struct sk_buff *skb)
+int nf_bridge_maybe_copy_header(struct sk_buff *skb)
 {
+       int err;
+
        if (skb->nf_bridge) {
                if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+                       err = skb_cow(skb, 18);
+                       if (err)
+                               return err;
                        memcpy(skb->data - 18, skb->nf_bridge->data, 18);
                        skb_push(skb, 4);
-               } else
+               } else {
+                       err = skb_cow(skb, 16);
+                       if (err)
+                               return err;
                        memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+               }
        }
+       return 0;
 }
 
 /* This is called by the IP fragmenting code and it ensures there is
index 6ccd32b308091dcd443f6ff00ab0aea2ad456e21..864fbbc7b24d0eb1d9769723cdf385c60aba410c 100644 (file)
@@ -40,11 +40,15 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
        else {
 #ifdef CONFIG_BRIDGE_NETFILTER
                /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
-               nf_bridge_maybe_copy_header(skb);
+               if (nf_bridge_maybe_copy_header(skb))
+                       kfree_skb(skb);
+               else
 #endif
-               skb_push(skb, ETH_HLEN);
+               {
+                       skb_push(skb, ETH_HLEN);
 
-               dev_queue_xmit(skb);
+                       dev_queue_xmit(skb);
+               }
        }
 
        return 0;