• Neil Horman's avatar
    e1000: add missing length check to e1000 receive routine · ea30e119
    Neil Horman authored
    	Patch to fix bad length checking in e1000.  E1000 by default does two
    things:
    
    1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
    2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
    doing an skb_put
    
    Since the e1000 driver isn't written to support receiving packets that span
    multiple rx buffers, it checks the End of Packet bit of every frame, and
    discards it if its not set.  This places us in a situation where, if we have a
    spanning packet, the first part is discarded, but the second part is not (since
    it is the end of packet, and it passes the EOP bit test).  If the second part of
    the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
    underflow the length, and wind up in skb_over_panic, when we try to skb_put a
    huge number of bytes into the skb.  This amounts to a remote DOS attack through
    careful selection of frame size in relation to interface MTU.  The fix for this
    is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
    one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents
    small frames from causing the underflow described above
    Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
    Tested-by: default avatarAndy Gospodarek <andy@greyhouse.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    ea30e119
e1000_main.c 135 KB