Lucid CVE-2012-3412
Tim Gardner
tim.gardner at canonical.com
Fri Aug 24 19:38:59 UTC 2012
On 08/24/2012 09:11 AM, Tim Gardner wrote:
> On 08/24/2012 09:05 AM, Herton Ronaldo Krzesinski wrote:
>> On Fri, Aug 24, 2012 at 07:58:34AM -0600, Tim Gardner wrote:
>>> static inline int netif_needs_gso(struct net_device *dev, struct sk_buff *skb)
>>> {
>>> + if (skb_is_gso(skb) &&
>>> + skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs)
>>> + return 0;
>>
>> Shouldn't be return 1 here? If the condition is true, we would clear the
>> flags from features. If flags are cleared, when calling skb_gso_ok:
>>
>> net_gso_ok would always return 0
>> skb_gso_ok would always return 0
>> netif_needs_gso returns 1 because it does !skb_gso_ok
>>
>> Unless I'm missing something here. Anyway, hard to read these functions...
>> I think just copying/clearing the flags and passing through skb_gso_ok
>> would be better.
>>
>
> I guess I'm confused about when the flag is set. I was assuming if GSO
> was set, then the driver handled 'generic segmentation offload'. Aren't
> we checking for error conditions, e.g., if there are more segments then
> the driver can handle, then _don't_ do GSO ?
>
> rtg
>
After some online discussion with Herton I think we've agreed to bag
this mess. This is not a broad vulnerability, and the patch is proving
to be more effort then its worth.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list