iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'macsec-fix-some-bugs-in-the-receive-path'

Browse Source 
Andreas Steinmetz says:

====================
macsec: fix some bugs in the receive path

This series fixes some bugs in the receive path of macsec. The first
is a use after free when processing macsec frames with a SecTAG that
has the TCI E bit set but the C bit clear. In the 2nd bug, the driver
leaves an invalid checksumming state after decrypting the packet.

This is a combined effort of Sabrina Dubroca <sd@queasysnail.net> and me.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2019-07-02 14:12:30 -07:00
commit bc389fd101
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/net/macsec.c
View File

@ -865,6 +865,7 @@ static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len) static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
{ {
skb->ip_summed = CHECKSUM_NONE;
memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN); memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
skb_pull(skb, hdr_len); skb_pull(skb, hdr_len);
pskb_trim_unique(skb, skb->len - icv_len); pskb_trim_unique(skb, skb->len - icv_len);
@ -1099,10 +1100,9 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
} }
skb = skb_unshare(skb, GFP_ATOMIC); skb = skb_unshare(skb, GFP_ATOMIC);
if (!skb) { *pskb = skb;
*pskb = NULL; if (!skb)
return RX_HANDLER_CONSUMED; return RX_HANDLER_CONSUMED;
}
pulled_sci = pskb_may_pull(skb, macsec_extra_len(true)); pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
if (!pulled_sci) { if (!pulled_sci) {