Commit b97fc7eb authored by Haibin Lu's avatar Haibin Lu Committed by Jie Liu
Browse files

UBL: verify skb space when sw_ctype adding 

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8GIXF


CVE: NA

-----------------------------------------------------------

When sw_ctype is added, the skb_push function is used,
which may cause exceptions because there is insufficient
space between skb->head and skb->data. Before calling
skb_push, this patch uses skb_cow_head for protection
to ensure sufficient space.

Signed-off-by: default avatarHaibin Lu <luhaibin10@hisilicon.com>
parent 5cd562bc

drivers/net/ub/dev/ubl.c

+29 −1
Original line number Diff line number Diff line
@@ -44,6 +44,32 @@ static __be16 ubl_type_to_proto(u8 type) 
	return proto;

}



/**

 * ubl_add_sw_ctype - add software packet type for skb->data

 * @skb: buffer to alter

 * @ctype: indicates the packet type

 *

 * The packet type cannot be known by parsing packe from user,

 * which leads to restrictions on the use of socket.

 * Add cs_type field to indicate the packet type. And sw_ctype

 * exists only during software prcessing.

 * +----------+----+-----+-----------+

 * | sw_ctype | CC | NPI | L3 Packet |

 * +----------+----+-----+-----------+

 */

int ubl_add_sw_ctype(struct sk_buff *skb, u8 ctype)

{

	u8 *pkt_cfg;



	if (skb_cow_head(skb, sizeof(u8)))

		return -ENOMEM;



	pkt_cfg = (u8 *)skb_push(skb, sizeof(u8));

	*pkt_cfg = ctype;



	return 0;

}



/**

 * ubl_create_header - create the ubl header

 * @skb:	buffer to alter
@@ -72,7 +98,9 @@ int ubl_create_header(struct sk_buff *skb, struct net_device *dev, 
		/* if type is ETH_P_UB, then do nothing. */

		ret = 0;

	}

	ubl_add_sw_ctype(skb, ctype);



	if (ubl_add_sw_ctype(skb, ctype))

		ret = -ENOMEM;



	return ret;

}

drivers/net/ub/dev/ubl.h

+3 −22
Original line number Diff line number Diff line
@@ -59,26 +59,6 @@ struct ublhdr { 
	__be32 h_npi;

} __packed;



/**

 * ubl_add_sw_ctype - add software packet type for skb->data

 * @skb: buffer to alter

 * @ctype: indicates the packet type

 *

 * The packet type cannot be known by parsing packe from user,

 * which leads to restrictions on the use of socket.

 * Add cs_type field to indicate the packet type. And sw_ctype

 * exists only during software prcessing.

 * +----------+----+-----+-----------+

 * | sw_ctype | CC | NPI | L3 Packet |

 * +----------+----+-----+-----------+

 */

static inline void ubl_add_sw_ctype(struct sk_buff *skb, u8 ctype)

{

	u8 *pkt_cfg = (u8 *)skb_push(skb, sizeof(u8));



	*pkt_cfg = ctype;

}



/**

 * ubl_rmv_sw_ctype - delete software packet type for skb->data

 * @skb: buffer to alter
@@ -86,9 +66,9 @@ static inline void ubl_add_sw_ctype(struct sk_buff *skb, u8 ctype) 
 * Before the packet is sent to the hardware, remove sw_ctype field

 * and restore the original packet.

 */

static inline void ubl_rmv_sw_ctype(struct sk_buff *skb)

static inline void *ubl_rmv_sw_ctype(struct sk_buff *skb)

{

	skb_pull_inline(skb, sizeof(u8));

	return pskb_pull(skb, sizeof(u8));

}



int ubl_create_header(struct sk_buff *skb, struct net_device *dev,
@@ -98,6 +78,7 @@ void ubl_setup(struct net_device *dev); 
__be16 ubl_type_trans(struct sk_buff *skb, struct net_device *dev, u8 type);

struct net_device *alloc_ubndev_mqs(int sizeof_priv, unsigned int txqs,

				    unsigned int rxqs);

int ubl_add_sw_ctype(struct sk_buff *skb, u8 ctype);

#define alloc_ubndev_mq(sizeof_priv, count) \

	alloc_ubndev_mqs((sizeof_priv), (count), (count))