--- /dev/null
+From: Chris Leech <christopher.leech@intel.com>
+Subject: [FcOE] fix frame length validation in the early receive path
+References: bnc #459142
+
+Validation of the frame length was missing before accessing the FC and FCoE
+headers. Some of the later checks were bogus, because of the way the fr_len
+variable and skb->len were being manipulated they could never fail.
+
+Signed-off-by: Chris Leech <christopher.leech@intel.com>
+Acked-by: Bernhard Walle <bwalle@suse.de>
+---
+
+ drivers/scsi/fcoe/libfcoe.c | 48 +++++++++++++++++++++-----------------------
+ include/scsi/fc/fc_fcoe.h | 12 +++++++++++
+ include/scsi/fc_frame.h | 2 -
+ 3 files changed, 36 insertions(+), 26 deletions(-)
+
+
+--- a/drivers/scsi/fcoe/libfcoe.c
++++ b/drivers/scsi/fcoe/libfcoe.c
+@@ -184,7 +184,6 @@ int fcoe_rcv(struct sk_buff *skb, struct
+ struct fcoe_rcv_info *fr;
+ struct fcoe_softc *fc;
+ struct fcoe_dev_stats *stats;
+- u8 *data;
+ struct fc_frame_header *fh;
+ unsigned short oxid;
+ int cpu_idx;
+@@ -211,9 +210,18 @@ int fcoe_rcv(struct sk_buff *skb, struct
+ FC_DBG("wrong FC type frame");
+ goto err;
+ }
+- data = skb->data;
+- data += sizeof(struct fcoe_hdr);
+- fh = (struct fc_frame_header *)data;
++
++ /*
++ * Check for minimum frame length, and make sure required FCoE
++ * and FC headers are pulled into the linear data area.
++ */
++ if (unlikely((skb->len < FCOE_MIN_FRAME) ||
++ !pskb_may_pull(skb, FCOE_HEADER_LEN)))
++ goto err;
++
++ skb_set_transport_header(skb, sizeof(struct fcoe_hdr));
++ fh = (struct fc_frame_header *) skb_transport_header(skb);
++
+ oxid = ntohs(fh->fh_ox_id);
+
+ fr = fcoe_dev_from_skb(skb);
+@@ -514,8 +522,6 @@ int fcoe_percpu_receive_thread(void *arg
+ {
+ struct fcoe_percpu_s *p = arg;
+ u32 fr_len;
+- unsigned int hlen;
+- unsigned int tlen;
+ struct fc_lport *lp;
+ struct fcoe_rcv_info *fr;
+ struct fcoe_dev_stats *stats;
+@@ -572,10 +578,12 @@ int fcoe_percpu_receive_thread(void *arg
+ skb_linearize(skb); /* not ideal */
+
+ /*
+- * Check the header and pull it off.
++ * Frame length checks and setting up the header pointers
++ * was done in fcoe_rcv already.
+ */
+- hlen = sizeof(struct fcoe_hdr);
+- hp = (struct fcoe_hdr *)skb->data;
++ hp = (struct fcoe_hdr *) skb_network_header(skb);
++ fh = (struct fc_frame_header *) skb_transport_header(skb);
++
+ if (unlikely(FC_FCOE_DECAPS_VER(hp) != FC_FCOE_VER)) {
+ if (stats) {
+ if (stats->ErrorFrames < 5)
+@@ -586,22 +594,10 @@ int fcoe_percpu_receive_thread(void *arg
+ kfree_skb(skb);
+ continue;
+ }
++
+ skb_pull(skb, sizeof(struct fcoe_hdr));
+- tlen = sizeof(struct fcoe_crc_eof);
+- fr_len = skb->len - tlen;
+- skb_trim(skb, fr_len);
++ fr_len = skb->len - sizeof(struct fcoe_crc_eof);
+
+- if (unlikely(fr_len > skb->len)) {
+- if (stats) {
+- if (stats->ErrorFrames < 5)
+- FC_DBG("length error fr_len 0x%x "
+- "skb->len 0x%x", fr_len,
+- skb->len);
+- stats->ErrorFrames++;
+- }
+- kfree_skb(skb);
+- continue;
+- }
+ if (stats) {
+ stats->RxFrames++;
+ stats->RxWords += fr_len / FCOE_WORD_TO_BYTE;
+@@ -610,9 +606,11 @@ int fcoe_percpu_receive_thread(void *arg
+ fp = (struct fc_frame *)skb;
+ cp = (struct fcoe_crc_eof *)(skb->data + fr_len);
+ fc_frame_init(fp);
+- fr_eof(fp) = cp->fcoe_eof;
+- fr_sof(fp) = hp->fcoe_sof;
+ fr_dev(fp) = lp;
++ fr_sof(fp) = hp->fcoe_sof;
++ fr_eof(fp) = cp->fcoe_eof;
++ /* trim off the CRC and EOF trailer*/
++ skb_trim(skb, fr_len);
+
+ /*
+ * We only check CRC if no offload is available and if it is
+--- a/include/scsi/fc/fc_fcoe.h
++++ b/include/scsi/fc/fc_fcoe.h
+@@ -85,6 +85,18 @@ struct fcoe_crc_eof {
+ } __attribute__((packed));
+
+ /*
++ * Minimum FCoE + FC header length
++ * 14 bytes FCoE header + 24 byte FC header = 38 bytes
++ */
++#define FCOE_HEADER_LEN 38
++
++/*
++ * Minimum FCoE frame size
++ * 14 bytes FCoE header + 24 byte FC header + 8 byte FCoE trailer = 46 bytes
++ */
++#define FCOE_MIN_FRAME 46
++
++/*
+ * fc_fcoe_set_mac - Store OUI + DID into MAC address field.
+ * @mac: mac address to be set
+ * @did: fc dest id to use
+--- a/include/scsi/fc_frame.h
++++ b/include/scsi/fc_frame.h
+@@ -66,10 +66,10 @@ struct fcoe_rcv_info {
+ struct fc_lport *fr_dev; /* transport layer private pointer */
+ struct fc_seq *fr_seq; /* for use with exchange manager */
+ struct scsi_cmnd *fr_cmd; /* for use of scsi command */
++ u16 fr_max_payload; /* max FC payload */
+ enum fc_sof fr_sof; /* start of frame delimiter */
+ enum fc_eof fr_eof; /* end of frame delimiter */
+ u8 fr_flags; /* flags - see below */
+- u16 fr_max_payload; /* max FC payload */
+ };
+
+ /*
projects / ipfire-2.x.git / blobdiff