From: Alex Williamson Date: Mon, 9 Feb 2009 01:49:17 +0000 (-0800) Subject: tun: Fix unicast filter overflow X-Git-Tag: v2.6.28.6~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ac2dfbf36bfd3913267be078f756e0806b3694f;p=thirdparty%2Fkernel%2Fstable.git tun: Fix unicast filter overflow [ Upstream commit cfbf84fcbcda98bb91ada683a8dc8e6901a83ebd ] Tap devices can make use of a small MAC filter set via the TUNSETTXFILTER ioctl. The filter has a set of exact matches plus a hash for imperfect filtering of additional multicast addresses. The current code is unbalanced, adding unicast addresses to the multicast hash, but only checking the hash against multicast addresses. This results in the filter dropping unicast addresses that overflow the exact filter. The fix is simply to disable the filter by leaving count set to zero if we find non-multicast addresses after the exact match table is filled. Signed-off-by: Alex Williamson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 33b6d1b122fb5..3ee95593a19cb 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -157,10 +157,16 @@ static int update_filter(struct tap_filter *filter, void __user *arg) nexact = n; - /* The rest is hashed */ + /* Remaining multicast addresses are hashed, + * unicast will leave the filter disabled. */ memset(filter->mask, 0, sizeof(filter->mask)); - for (; n < uf.count; n++) + for (; n < uf.count; n++) { + if (!is_multicast_ether_addr(addr[n].u)) { + err = 0; /* no filter */ + goto done; + } addr_hash_set(filter->mask, addr[n].u); + } /* For ALLMULTI just set the mask to all ones. * This overrides the mask populated above. */