Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-25 Thread Sabrina Dubroca
2017-04-25, 17:08:28 +0200, Jason A. Donenfeld wrote: > Hi Sabrina, > > On Tue, Apr 25, 2017 at 4:53 PM, Sabrina Dubroca wrote: > > Ugh, good catch :/ > > > > AFAICT this patch doesn't really help, because NETIF_F_FRAGLIST > > doesn't get tested in paths that can lead to

Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-25 Thread Jason A. Donenfeld
On Tue, Apr 25, 2017 at 5:12 PM, Sabrina Dubroca wrote: >> https://patchwork.ozlabs.org/patch/754861/ > > Yes, that prevents the overflow, but now you're just dropping > packets. Right, it's a so-called "defense-in-depth" measure. > I'll review that later, let's fix the

Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-25 Thread Jason A. Donenfeld
Hi Sabrina, On Tue, Apr 25, 2017 at 4:53 PM, Sabrina Dubroca wrote: > Ugh, good catch :/ > > AFAICT this patch doesn't really help, because NETIF_F_FRAGLIST > doesn't get tested in paths that can lead to triggering this. You're right. This fixes the xmit() path, but not

Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-25 Thread Sabrina Dubroca
2017-04-21, 23:14:48 +0200, Jason A. Donenfeld wrote: > While this may appear as a humdrum one line change, it's actually quite > important. An sk_buff stores data in three places: > > 1. A linear chunk of allocated memory in skb->data. This is the easiest >one to work with, but it precludes

Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-24 Thread David Miller
From: "Jason A. Donenfeld" Date: Fri, 21 Apr 2017 23:14:48 +0200 > While this may appear as a humdrum one line change, it's actually quite > important. An sk_buff stores data in three places: > > 1. A linear chunk of allocated memory in skb->data. This is the easiest >one

Re: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-24 Thread Jason A. Donenfeld
On Mon, Apr 24, 2017 at 1:02 PM, David Laight wrote: > ... > > Shouldn't skb_to_sgvec() be checking the number of fragments against > the size of the sg list? > The callers would then all need auditing to allow for failure. This has never been done before, since this is

RE: [PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-24 Thread David Laight
From: Jason A. Donenfeld > Sent: 21 April 2017 22:15 > While this may appear as a humdrum one line change, it's actually quite > important. An sk_buff stores data in three places: > > 1. A linear chunk of allocated memory in skb->data. This is the easiest >one to work with, but it precludes

[PATCH] macsec: avoid heap overflow in skb_to_sgvec

2017-04-21 Thread Jason A. Donenfeld
While this may appear as a humdrum one line change, it's actually quite important. An sk_buff stores data in three places: 1. A linear chunk of allocated memory in skb->data. This is the easiest one to work with, but it precludes using scatterdata since the memory must be linear. 2. The