[NET]: Verify gso_type too in gso_segment
authorHerbert Xu <herbert@gondor.apana.org.au>
Tue, 4 Jul 2006 02:38:35 +0000 (19:38 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Jul 2006 02:38:35 +0000 (19:38 -0700)
We don't want nasty Xen guests to pass a TCPv6 packet in with gso_type set
to TCPv4 or even UDP (or a packet that's both TCP and UDP).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/af_inet.c
net/ipv4/tcp.c
net/ipv6/ipv6_sockglue.c

index 8d157157bf8e68c65ae3523b62c13ba0486437ab..318d4674faa188e8aba6c6c8c17862fed6ce6ee6 100644 (file)
@@ -1106,7 +1106,15 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
        int ihl;
        int id;
 
-       if (!pskb_may_pull(skb, sizeof(*iph)))
+       if (unlikely(skb_shinfo(skb)->gso_type &
+                    ~(SKB_GSO_TCPV4 |
+                      SKB_GSO_UDP |
+                      SKB_GSO_DODGY |
+                      SKB_GSO_TCP_ECN |
+                      0)))
+               goto out;
+
+       if (unlikely(!pskb_may_pull(skb, sizeof(*iph))))
                goto out;
 
        iph = skb->nh.iph;
@@ -1114,7 +1122,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
        if (ihl < sizeof(*iph))
                goto out;
 
-       if (!pskb_may_pull(skb, ihl))
+       if (unlikely(!pskb_may_pull(skb, ihl)))
                goto out;
 
        skb->h.raw = __skb_pull(skb, ihl);
@@ -1125,7 +1133,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
 
        rcu_read_lock();
        ops = rcu_dereference(inet_protos[proto]);
-       if (ops && ops->gso_segment)
+       if (likely(ops && ops->gso_segment))
                segs = ops->gso_segment(skb, features);
        rcu_read_unlock();
 
index 804458712d881dee4065f2e4cbd7e7c99296d545..f6a2d9223d07ca1503aecfdaa9124e09b8e22247 100644 (file)
@@ -2170,8 +2170,19 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
 
        if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
                /* Packet is from an untrusted source, reset gso_segs. */
-               int mss = skb_shinfo(skb)->gso_size;
+               int type = skb_shinfo(skb)->gso_type;
+               int mss;
+
+               if (unlikely(type &
+                            ~(SKB_GSO_TCPV4 |
+                              SKB_GSO_DODGY |
+                              SKB_GSO_TCP_ECN |
+                              SKB_GSO_TCPV6 |
+                              0) ||
+                            !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
+                       goto out;
 
+               mss = skb_shinfo(skb)->gso_size;
                skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
 
                segs = NULL;
index c28e5c287447105d36334b480f02b912deb0a2af..ec59344478d27eafb79c5ee88c0dbfc6e858f542 100644 (file)
@@ -64,6 +64,14 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, int features)
        struct inet6_protocol *ops;
        int proto;
 
+       if (unlikely(skb_shinfo(skb)->gso_type &
+                    ~(SKB_GSO_UDP |
+                      SKB_GSO_DODGY |
+                      SKB_GSO_TCP_ECN |
+                      SKB_GSO_TCPV6 |
+                      0)))
+               goto out;
+
        if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
                goto out;