git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Jesse Brandeburg <jesse.brandeburg@intel.com>
	Tue, 19 Jan 2010 14:15:38 +0000 (14:15 +0000)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Tue, 9 Feb 2010 12:50:45 +0000 (04:50 -0800)
commit	dff2267e0c21d0d478b29bc921e8ec4f0ea462e6
tree	e12633ebef5177f5b688a4a15741f584140543ca	tree \| snapshot
parent	cfc7e54cd19cabdadf803be3d6a04d89f2663aa5	commit \| diff

e1000: enhance frame fragment detection

commit 40a14deaf411592b57cb0720f0e8004293ab9865 upstream.

Originally From: Neil Horman <nhorman@tuxdriver.com>
Modified by: Jesse Brandeburg <jesse.brandeburg@intel.com>

Hey all-
A security discussion was recently given:
http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
And a patch that I submitted awhile back was brought up.  Apparently some of
their testing revealed that they were able to force a buffer fragment in e1000
in which the trailing fragment was greater than 4 bytes.  As a result the
fragment check I introduced failed to detect the fragement and a partial
invalid frame was passed up into the network stack.  I've written this patch
to correct it.  I'm in the process of testing it now, but it makes good
logical sense to me.  Effectively it maintains a per-adapter state variable
which detects a non-EOP frame, and discards it and subsequent non-EOP frames
leading up to _and_ _including_ the next positive-EOP frame (as it is by
definition the last fragment).  This should prevent any and all partial frames
from entering the network stack from e1000.

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/net/e1000/e1000.h		diff \| blob \| history
drivers/net/e1000/e1000_main.c		diff \| blob \| history