diff options
| author | kaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk> | 2006-06-30 14:41:13 +0100 |
|---|---|---|
| committer | kaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk> | 2006-06-30 14:41:13 +0100 |
| commit | e110434e9117f90917d1c41d9cddf3d6c712c408 (patch) | |
| tree | f191662ef58d6e04b349a9aeaee54ea5bf659592 /patches | |
| parent | 4509ffb83c9a82528bb2988868210af8c73eeebe (diff) | |
| download | xen-e110434e9117f90917d1c41d9cddf3d6c712c408.tar.gz xen-e110434e9117f90917d1c41d9cddf3d6c712c408.tar.bz2 xen-e110434e9117f90917d1c41d9cddf3d6c712c408.zip | |
[NET]: Update net-gso.patch. Remove net-tso.patch.
New changeset merged upstream:
[TCP]: Reset gso_segs if packet is dodgy
I wasn't paranoid enough in verifying GSO information. A bogus gso_segs
could upset drivers as much as a bogus header would. Let's reset it in
the per-protocol gso_segment functions.
I didn't verify gso_size because that can be verified by the source of
the dodgy packets.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'patches')
| -rw-r--r-- | patches/linux-2.6.16.13/net-gso.patch | 18 | ||||
| -rw-r--r-- | patches/linux-2.6.16.13/net-tso.patch | 28 |
2 files changed, 12 insertions, 34 deletions
diff --git a/patches/linux-2.6.16.13/net-gso.patch b/patches/linux-2.6.16.13/net-gso.patch index 4c69d1e4a6..ba6f8d6682 100644 --- a/patches/linux-2.6.16.13/net-gso.patch +++ b/patches/linux-2.6.16.13/net-gso.patch @@ -2225,7 +2225,7 @@ index d64e2ec..7494823 100644 err = ipcomp_compress(x, skb); iph = skb->nh.iph; diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 00aa80e..84130c9 100644 +index 00aa80e..30c81a8 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -257,6 +257,7 @@ #include <linux/smp_lock.h> @@ -2281,7 +2281,7 @@ index 00aa80e..84130c9 100644 from += copy; copied += copy; -@@ -2026,6 +2021,71 @@ int tcp_getsockopt(struct sock *sk, int +@@ -2026,6 +2021,77 @@ int tcp_getsockopt(struct sock *sk, int } @@ -2306,13 +2306,19 @@ index 00aa80e..84130c9 100644 + if (!pskb_may_pull(skb, thlen)) + goto out; + -+ segs = NULL; -+ if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) -+ goto out; -+ + oldlen = (u16)~skb->len; + __skb_pull(skb, thlen); + ++ if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) { ++ /* Packet is from an untrusted source, reset gso_segs. */ ++ int mss = skb_shinfo(skb)->gso_size; ++ ++ skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss; ++ ++ segs = NULL; ++ goto out; ++ } ++ + segs = skb_segment(skb, features); + if (IS_ERR(segs)) + goto out; diff --git a/patches/linux-2.6.16.13/net-tso.patch b/patches/linux-2.6.16.13/net-tso.patch deleted file mode 100644 index 188e40738a..0000000000 --- a/patches/linux-2.6.16.13/net-tso.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 0336422..0bb0ac9 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -2166,13 +2166,19 @@ struct sk_buff *tcp_tso_segment(struct s - if (!pskb_may_pull(skb, thlen)) - goto out; - -- segs = NULL; -- if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) -- goto out; -- - oldlen = (u16)~skb->len; - __skb_pull(skb, thlen); - -+ if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) { -+ /* Packet is from an untrusted source, reset gso_segs. */ -+ int mss = skb_shinfo(skb)->gso_size; -+ -+ skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss; -+ -+ segs = NULL; -+ goto out; -+ } -+ - segs = skb_segment(skb, features); - if (IS_ERR(segs)) - goto out; |