packet: handle too big packets for PACKET_V3

af_packet can currently overwrite kernel memory by out of bound accesses, because it assumed a [new] block can always hold one frame. This is not generally the case, even if most existing tools do it right. This patch clamps too long frames as API permits, and issue a one time error on syslog. [ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82 In this example, packet header tp_snaplen was set to 3966, and tp_len was set to 5042 (skb->len) Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Acked-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2014-08-15 16:16:04 (GMT)
committer: David S. Miller <davem@davemloft.net> 2014-08-21 23:44:28 (GMT)
commit: dc808110bb62b64a448696ecac3938902c92e1ab (patch)
tree: 05abe4d611d696d3b64c24c9cfac048b6d9db0f0 /net/packet/internal.h
parent: 564ee3606fe6c9e014c4bee9d74a5eaef96034c8 (diff)
download: linux-dc808110bb62b64a448696ecac3938902c92e1ab.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/net/packet/internal.h b/net/packet/internal.h
index eb9580a..cdddf6a 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -29,6 +29,7 @@ struct tpacket_kbdq_core {
 	char		*pkblk_start;
 	char		*pkblk_end;
 	int		kblk_size;
+	unsigned int	max_frame_len;
 	unsigned int	knum_blocks;
 	uint64_t	knxt_seq_num;
 	char		*prev;
author	Eric Dumazet <edumazet@google.com>	2014-08-15 16:16:04 (GMT)
committer	David S. Miller <davem@davemloft.net>	2014-08-21 23:44:28 (GMT)
commit	dc808110bb62b64a448696ecac3938902c92e1ab (patch)
tree	05abe4d611d696d3b64c24c9cfac048b6d9db0f0 /net/packet/internal.h
parent	564ee3606fe6c9e014c4bee9d74a5eaef96034c8 (diff)
download	linux-dc808110bb62b64a448696ecac3938902c92e1ab.tar.xz