-stable review patch. If anyone has any objections, please let us know.
------------------
From: Herbert Xu <[email protected]>
I was looking at a RHEL5 bug report involving Xen and SCTP
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212550).
It turns out that SCTP wasn't written to handle skb fragments at
all. The absence of any calls to skb_may_pull is testament to
that.
It just so happens that Xen creates fragmented packets more often
than other scenarios (header & data split when going from domU to
dom0). That's what caused this bug to show up.
Until someone has the time sits down and audits the entire net/sctp
directory, here is a conservative and safe solution that simply
linearises all packets on input.
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
net/sctp/input.c | 3 +++
1 file changed, 3 insertions(+)
--- linux-2.6.18.1.orig/net/sctp/input.c
+++ linux-2.6.18.1/net/sctp/input.c
@@ -135,6 +135,9 @@ int sctp_rcv(struct sk_buff *skb)
SCTP_INC_STATS_BH(SCTP_MIB_INSCTPPACKS);
+ if (skb_linearize(skb))
+ goto discard_it;
+
sh = (struct sctphdr *) skb->h.raw;
/* Pull up the IP and SCTP headers. */
--
On Tue, Oct 31, 2006 at 09:34:20PM -0800, Chris Wright wrote:
> -stable review patch. If anyone has any objections, please let us know.
> ------------------
>
> From: Herbert Xu <[email protected]>
>
> I was looking at a RHEL5 bug report involving Xen and SCTP
> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212550).
> It turns out that SCTP wasn't written to handle skb fragments at
> all. The absence of any calls to skb_may_pull is testament to
> that.
>
> It just so happens that Xen creates fragmented packets more often
> than other scenarios (header & data split when going from domU to
> dom0). That's what caused this bug to show up.
>
> Until someone has the time sits down and audits the entire net/sctp
> directory, here is a conservative and safe solution that simply
> linearises all packets on input.
>
> Signed-off-by: Herbert Xu <[email protected]>
> Signed-off-by: David S. Miller <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
> Signed-off-by: Chris Wright <[email protected]>
>
> ---
> net/sctp/input.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- linux-2.6.18.1.orig/net/sctp/input.c
> +++ linux-2.6.18.1/net/sctp/input.c
> @@ -135,6 +135,9 @@ int sctp_rcv(struct sk_buff *skb)
>
> SCTP_INC_STATS_BH(SCTP_MIB_INSCTPPACKS);
>
> + if (skb_linearize(skb))
> + goto discard_it;
> +
> sh = (struct sctphdr *) skb->h.raw;
>
> /* Pull up the IP and SCTP headers. */
Herbert, David,
This one seems to be valid for 2.4 too. Should I merge it or is it
unneeded ?
Willy
From: Willy Tarreau <[email protected]>
Date: Wed, 1 Nov 2006 08:17:22 +0100
> This one seems to be valid for 2.4 too. Should I merge it or is it
> unneeded ?
Indeed it appears that the problem can be triggered via IP
fragmentation on input even in 2.4.x, so yes it would be good
to put the fix there too.
Thanks for noticing this Willy.