Commit 3a13813e authored by Stephen Hemminger's avatar Stephen Hemminger Committed by David S. Miller

[BRIDGE] netfilter: memory corruption fix

The bridge-netfilter code will overwrite memory if there is not
headroom in the skb to save the header.  This first showed up when
using Xen with sky2 driver that doesn't allocate the extra space.
Signed-off-by: default avatarStephen Hemminger <shemminger@osdl.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 8dbc1603
...@@ -48,15 +48,25 @@ enum nf_br_hook_priorities { ...@@ -48,15 +48,25 @@ enum nf_br_hook_priorities {
/* Only used in br_forward.c */ /* Only used in br_forward.c */
static inline static inline
void nf_bridge_maybe_copy_header(struct sk_buff *skb) int nf_bridge_maybe_copy_header(struct sk_buff *skb)
{ {
int err;
if (skb->nf_bridge) { if (skb->nf_bridge) {
if (skb->protocol == __constant_htons(ETH_P_8021Q)) { if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
err = skb_cow(skb, 18);
if (err)
return err;
memcpy(skb->data - 18, skb->nf_bridge->data, 18); memcpy(skb->data - 18, skb->nf_bridge->data, 18);
skb_push(skb, 4); skb_push(skb, 4);
} else } else {
err = skb_cow(skb, 16);
if (err)
return err;
memcpy(skb->data - 16, skb->nf_bridge->data, 16); memcpy(skb->data - 16, skb->nf_bridge->data, 16);
} }
}
return 0;
} }
/* This is called by the IP fragmenting code and it ensures there is /* This is called by the IP fragmenting code and it ensures there is
......
...@@ -40,12 +40,16 @@ int br_dev_queue_push_xmit(struct sk_buff *skb) ...@@ -40,12 +40,16 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
else { else {
#ifdef CONFIG_BRIDGE_NETFILTER #ifdef CONFIG_BRIDGE_NETFILTER
/* ip_refrag calls ip_fragment, doesn't copy the MAC header. */ /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
nf_bridge_maybe_copy_header(skb); if (nf_bridge_maybe_copy_header(skb))
kfree_skb(skb);
else
#endif #endif
{
skb_push(skb, ETH_HLEN); skb_push(skb, ETH_HLEN);
dev_queue_xmit(skb); dev_queue_xmit(skb);
} }
}
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment