[3.16.y-ckt stable] Patch "packet: tpacket_snd(): fix signed/unsigned comparison" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Thu Aug 27 11:12:19 UTC 2015 

This is a note to let you know that I have just added a patch titled

    packet: tpacket_snd(): fix signed/unsigned comparison

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt17.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 581823ecc47b2e0c164eccf3bf171a0c6097abd9 Mon Sep 17 00:00:00 2001
From: Alexander Drozdov <al.drozdov at gmail.com>
Date: Tue, 28 Jul 2015 13:57:01 +0300
Subject: packet: tpacket_snd(): fix signed/unsigned comparison

commit dbd46ab412b8fb395f2b0ff6f6a7eec9df311550 upstream.

tpacket_fill_skb() can return a negative value (-errno) which
is stored in tp_len variable. In that case the following
condition will be (but shouldn't be) true:

tp_len > dev->mtu + dev->hard_header_len

as dev->mtu and dev->hard_header_len are both unsigned.

That may lead to just returning an incorrect EMSGSIZE errno
to the user.

Fixes: 52f1454f629fa ("packet: allow to transmit +4 byte in TX_RING slot for VLAN case")
Signed-off-by: Alexander Drozdov <al.drozdov at gmail.com>
Acked-by: Daniel Borkmann <daniel at iogearbox.net>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/packet/af_packet.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 7dc6a05f09c8..1f2e7d341781 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2284,7 +2284,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)

 		tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
 					  addr, hlen);
-		if (tp_len > dev->mtu + dev->hard_header_len) {
+		if (likely(tp_len >= 0) &&
+		    tp_len > dev->mtu + dev->hard_header_len) {
 			struct ethhdr *ehdr;
 			/* Earlier code assumed this would be a VLAN pkt,
 			 * double-check this now that we have the actual

More information about the kernel-team mailing list