diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2024-07-25 08:07:06 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2024-07-25 08:07:07 -0700 |
| commit | af65ea42bd1d28d818b74b9b3b4f8da7ada9f88b (patch) | |
| tree | 0e2b808ca37e42419f7ef7ed1ca78e61a21fef9c /Documentation | |
| parent | 61ab751451f5ebd0b98e02276a44e23a10110402 (diff) | |
| parent | 049584807f1d797fc3078b68035450a9769eb5c3 (diff) | |
| download | linux-stable-af65ea42bd1d28d818b74b9b3b4f8da7ada9f88b.tar.gz linux-stable-af65ea42bd1d28d818b74b9b3b4f8da7ada9f88b.tar.bz2 linux-stable-af65ea42bd1d28d818b74b9b3b4f8da7ada9f88b.zip | |
Merge branch 'tap-tun-harden-by-dropping-short-frame'
Dongli Zhang says:
====================
tap/tun: harden by dropping short frame
This is to harden all of tap/tun to avoid any short frame smaller than the
Ethernet header (ETH_HLEN).
While the xen-netback already rejects short frame smaller than ETH_HLEN ...
914 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
915 int budget,
916 unsigned *copy_ops,
917 unsigned *map_ops)
918 {
... ...
1007 if (unlikely(txreq.size < ETH_HLEN)) {
1008 netdev_dbg(queue->vif->dev,
1009 "Bad packet size: %d\n", txreq.size);
1010 xenvif_tx_err(queue, &txreq, extra_count, idx);
1011 break;
1012 }
... the short frame may not be dropped by vhost-net/tap/tun.
This fixes CVE-2024-41090 and CVE-2024-41091.
====================
Link: https://patch.msgid.link/20240724170452.16837-1-dongli.zhang@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'Documentation')
0 files changed, 0 insertions, 0 deletions