NACK: [SRU][T][PATCH 2/3] net: create skb_gso_validate_mac_len()

Kleber Souza kleber.souza at canonical.com
Fri Feb 23 09:37:40 UTC 2018 

On 02/12/18 05:40, Daniel Axtens wrote:
> From: Daniel Axtens <dja at axtens.net>
> 
> BugLink: https://bugs.launchpad.net/bugs/1715519
> CVE-2018-1000026
> 
> If you take a GSO skb, and split it into packets, will the MAC
> length (L2 + L3 + L4 headers + payload) of those packets be small
> enough to fit within a given length?
> 
> Move skb_gso_mac_seglen() to skbuff.h with other related functions
> like skb_gso_network_seglen() so we can use it, and then create
> skb_gso_validate_mac_len to do the full calculation.
> 
> Signed-off-by: Daniel Axtens <dja at axtens.net>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (backported from commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90)
> [nb: drop GSO_BY_FRAGS case as that isn't introduced until 4.8]
> Signed-off-by: Daniel Axtens <daniel.axtens at canonical.com>
> ---
>  include/linux/skbuff.h | 17 +++++++++++++++++
>  net/core/skbuff.c      | 43 +++++++++++++++++++++++++++++++++++++++++++
>  net/sched/sch_tbf.c    | 10 ----------
>  3 files changed, 60 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index aafe56f8c077..810c374530aa 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -2427,6 +2427,7 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len);
>  int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
>  void skb_scrub_packet(struct sk_buff *skb, bool xnet);
>  unsigned int skb_gso_transport_seglen(const struct sk_buff *skb);
> +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len);
>  struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features);
>  
>  struct skb_checksum_ops {
> @@ -2883,5 +2884,21 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
>  			       skb_network_header(skb);
>  	return hdr_len + skb_gso_transport_seglen(skb);
>  }
> +
> +/**
> + * skb_gso_mac_seglen - Return length of individual segments of a gso packet
> + *
> + * @skb: GSO skb
> + *
> + * skb_gso_mac_seglen is used to determine the real size of the
> + * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
> + * headers (TCP/UDP).
> + */
> +static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
> +{
> +	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
> +	return hdr_len + skb_gso_transport_seglen(skb);
> +}
> +
>  #endif	/* __KERNEL__ */
>  #endif	/* _LINUX_SKBUFF_H */
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index eb118c797bf2..1683f39549e7 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -3625,3 +3625,46 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
>  	return shinfo->gso_size;
>  }
>  EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
> +
> +/*
> + * skb_gso_size_check - check the skb size
> + *
> + * There are a couple of instances where we have a GSO skb, and we
> + * want to determine what size it would be after it is segmented.
> + *
> + * We might want to check:
> + * -    L3+L4+payload size (e.g. IP forwarding)
> + * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
> + *
> + * @seg_len: The segmented length (from skb_gso_*_seglen).
> + *
> + * @max_len: The maximum permissible length.
> + *
> + * Returns true if the segmented length <= max length.
> + *
> + * In upstream this has to consider GSO_BY_FRAGS, but not in this
> + * backport.
> + */
> +static inline bool skb_gso_size_check(const struct sk_buff *skb,
> +				      unsigned int seg_len,
> +				      unsigned int max_len) {
> +	const struct skb_shared_info *shinfo = skb_shinfo(skb);
> +	const struct sk_buff *iter;

Same case here as with the backport for Xenial, these variables are not
needed on the backport.

Otherwise the patch series looks good to me.

Thanks,
Kleber

> +
> +	return seg_len <= max_len;
> +}
> +
> +/**
> + * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
> + *
> + * @skb: GSO skb
> + * @len: length to validate against
> + *
> + * skb_gso_validate_mac_len validates if a given skb will fit a wanted
> + * length once split, including L2, L3 and L4 headers and the payload.
> + */
> +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
> +{
> +	return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
> +}
> +EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
> diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
> index bb2c7d5de303..8e7073fd9e08 100644
> --- a/net/sched/sch_tbf.c
> +++ b/net/sched/sch_tbf.c
> @@ -143,16 +143,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r,
>  	return len;
>  }
>  
> -/*
> - * Return length of individual segments of a gso packet,
> - * including all headers (MAC, IP, TCP/UDP)
> - */
> -static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
> -{
> -	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
> -	return hdr_len + skb_gso_transport_seglen(skb);
> -}
> -
>  /* GSO packet is too big, segment it so that tbf can transmit
>   * each segment in time
>   */
>

More information about the kernel-team mailing list