[VLAN/BRIDGE]: Fix "skb_pull_rcsum - Fatal exception in interrupt"
authorEvgeniy Polyakov <johnpol@2ka.mipt.ru>
Sat, 25 Aug 2007 06:36:29 +0000 (23:36 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Mon, 27 Aug 2007 01:35:47 +0000 (18:35 -0700)
I tried to preserve bridging code as it was before, but logic is quite
strange - I think we should free skb on error, since it is already
unshared and thus will just leak.

Herbert Xu states:

> + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
> + goto out;

If this happens it'll be a double-free on skb since we'll
return NF_DROP which makes the caller free it too.

We could return NF_STOLEN to prevent that but I'm not sure
whether that's correct netfilter semantics.  Patrick, could
you please make a call on this?

Patrick McHardy states:

NF_STOLEN should work fine here.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/8021q/vlan_dev.c
net/bridge/br_netfilter.c

index 4bab322c9f8f9266e7c5fe4c5cb4ac7c63257757..328759c32d616195ff634ad12369667d16e4f80e 100644 (file)
@@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
                  struct packet_type* ptype, struct net_device *orig_dev)
 {
        unsigned char *rawp = NULL;
-       struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data);
+       struct vlan_hdr *vhdr;
        unsigned short vid;
        struct net_device_stats *stats;
        unsigned short vlan_TCI;
        __be16 proto;
 
+       if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
+               return -1;
+
+       if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) {
+               kfree_skb(skb);
+               return -1;
+       }
+
+       vhdr = (struct vlan_hdr *)(skb->data);
+
        /* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
        vlan_TCI = ntohs(vhdr->h_vlan_TCI);
 
index fa779874b9dd3723335257e46b9e02def4682712..3ee2022928e32069d9978f77a3cdd88299d62d70 100644 (file)
@@ -509,8 +509,14 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
                                      int (*okfn)(struct sk_buff *))
 {
        struct iphdr *iph;
-       __u32 len;
        struct sk_buff *skb = *pskb;
+       __u32 len = nf_bridge_encap_header_len(skb);
+
+       if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
+               return NF_STOLEN;
+
+       if (unlikely(!pskb_may_pull(skb, len)))
+               goto out;
 
        if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
            IS_PPPOE_IPV6(skb)) {
@@ -518,8 +524,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
                if (!brnf_call_ip6tables)
                        return NF_ACCEPT;
 #endif
-               if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
-                       goto out;
                nf_bridge_pull_encap_header_rcsum(skb);
                return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
        }
@@ -532,8 +536,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
            !IS_PPPOE_IP(skb))
                return NF_ACCEPT;
 
-       if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
-               goto out;
        nf_bridge_pull_encap_header_rcsum(skb);
 
        if (!pskb_may_pull(skb, sizeof(struct iphdr)))