On Tue, 12 Jan 2010, Neil Horman wrote: > I'm sorry, it doesn't clear much up, at least not for me. The patch you're > referencing above deals only with the jumbo receive path, not the non-jumbo > case, which is not written to handle skb chains. The vulnerability targets > the > latter case specifically. We've seen cases in which an extra data is > transferred into a subsequent buffer in the ring in that path. Normally in > our > reproducing cases, I only saw a 4 byte overrun. Theres a check specifically > in > the e1000(e) drivers for that case. Unfortunately I never tested other cases, > but if someone sets a low mtu (say 1000 bytes), I don't see why the same issue > can't manifest as a buffer chain consisting of a 1000 byte skb followed by up > to > an extra 522 byte skb. such a condition would bypass that check and result in > admitting a garbage frame to the network stack.
Hm, you're right. /me smacks head. Thanks for your comments Neil, they are very useful. Wish we had thought to test the 1000 mtu case before I replied. In any case, we now have verified that the fix in this thread is good in the case of 1000 mtu. So I now withdraw my withdrawal. We have a couple more things to test/fix before we post the final version(s), I know this is priority but I also don't want to rush out an incomplete fix. Current plan is Jeff K will post the official version in the next couple of days, for e1000 and e1000e, which isn't necessary for >=1500 mtu, but is apparently necessary for smaller MTU. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
