linux_dsm_epyc7002/drivers
Neil Horman ea30e11970 e1000: add missing length check to e1000 receive routine
Patch to fix bad length checking in e1000.  E1000 by default does two
things:

1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
doing an skb_put

Since the e1000 driver isn't written to support receiving packets that span
multiple rx buffers, it checks the End of Packet bit of every frame, and
discards it if its not set.  This places us in a situation where, if we have a
spanning packet, the first part is discarded, but the second part is not (since
it is the end of packet, and it passes the EOP bit test).  If the second part of
the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
underflow the length, and wind up in skb_over_panic, when we try to skb_put a
huge number of bytes into the skb.  This amounts to a remote DOS attack through
careful selection of frame size in relation to interface MTU.  The fix for this
is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents
small frames from causing the underflow described above

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-06-02 01:29:58 -07:00
..
accessibility
acpi Merge branches 'release', 'bugzilla-13032', 'bugzilla-13041+', 'bugzilla-13121', 'bugzilla-13165', 'bugzilla-13243', 'bugzilla-13259', 'resume-sci-en-regression', 'thermal-regression', 'tsc-regression' and 'asus-2.6.30' into release 2009-05-16 01:55:59 -04:00
amba
ata libata: Media rotation rate and form factor heuristics 2009-05-15 14:14:56 -04:00
atm Replace all DMA_nBIT_MASK macro with DMA_BIT_MASK(n) 2009-04-13 15:04:33 -07:00
auxdisplay
base Revert driver core: move platform_data into platform_device 2009-05-08 19:22:21 -07:00
block hd: fix locking 2009-04-28 20:24:20 +02:00
bluetooth
cdrom
char sysrq, intel_fb: fix sysrq g collision 2009-05-15 07:56:24 -05:00
clocksource clocksource: pass clocksource to read() callback 2009-04-21 13:41:47 -07:00
connector
cpufreq
cpuidle
crypto dma-mapping: replace all DMA_32BIT_MASK macro with DMA_BIT_MASK(32) 2009-04-07 08:31:11 -07:00
dca
dio
dma dma: fix ipu_idmac.c to not discard the last queued buffer 2009-05-12 14:41:48 -07:00
edac edac: ppc mpc85xx fix mc err detect 2009-04-21 13:41:51 -07:00
eisa
firewire
firmware ibft: fix the display of a few fields in the NIC attribute structure in sysfs 2009-05-02 15:36:10 -07:00
gpio Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-04-03 15:24:35 -07:00
gpu Merge branches 'release', 'bugzilla-13032', 'bugzilla-13041+', 'bugzilla-13121', 'bugzilla-13165', 'bugzilla-13243', 'bugzilla-13259', 'resume-sci-en-regression', 'thermal-regression', 'tsc-regression' and 'asus-2.6.30' into release 2009-05-16 01:55:59 -04:00
hid HID: add NOGET quirk for devices from CH Products 2009-05-11 17:09:21 +02:00
hwmon hwmon: (w83781d) Fix W83782D support (NULL pointer dereference) 2009-05-08 20:27:28 +02:00
i2c Merge branch 'i2c-for-2630-rc5' of git://aeryn.fluff.org.uk/bjdooks/linux 2009-05-12 11:21:51 -07:00
ide piix: The Sony TZ90 needs the cable type hardcoding 2009-05-16 19:03:36 +02:00
idle dma-mapping: replace all DMA_64BIT_MASK macro with DMA_BIT_MASK(64) 2009-04-07 08:31:10 -07:00
ieee1394 dma-mapping: replace all DMA_32BIT_MASK macro with DMA_BIT_MASK(32) 2009-04-07 08:31:11 -07:00
infiniband Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband 2009-05-13 16:31:12 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2009-05-12 11:21:24 -07:00
isdn gigaset: beyond ARRAY_SIZE of iwb->data 2009-05-21 15:04:15 -07:00
leds leds: just ignore invalid GPIOs in leds-gpio 2009-04-08 14:13:48 +01:00
lguest lguest: fix guest crash on non-linear addresses in gdt pvops 2009-04-19 23:14:01 +09:30
macintosh Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6 2009-04-24 08:16:05 -07:00
mca
md md: remove rd%d links immediately after stopping an array. 2009-05-07 12:51:06 +10:00
media V4L/DVB (11680): cafe_ccic: use = instead of == for setting a value at a var 2009-05-09 18:54:32 -03:00
memstick dma-mapping: replace all DMA_32BIT_MASK macro with DMA_BIT_MASK(32) 2009-04-07 08:31:11 -07:00
message scsi: mpt: suppress debugobjects warning 2009-04-21 13:41:50 -07:00
mfd mfd: fix da903x warning 2009-04-05 00:32:25 +02:00
misc isl29003: fix resume functionality 2009-05-06 16:36:10 -07:00
mmc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/drzeus/mmc 2009-05-05 08:23:16 -07:00
mtd Convert obvious places to deactivate_locked_super() 2009-05-09 10:49:40 -04:00
net e1000: add missing length check to e1000 receive routine 2009-06-02 01:29:58 -07:00
nubus
of
oprofile Merge branch 'tracing-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-04-05 11:04:19 -07:00
parisc parport: Fix various uses of parport_pc 2009-04-14 08:48:50 -07:00
parport parport: Use the PCI IRQ if offered 2009-04-07 08:44:06 -07:00
pci Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6 2009-05-15 16:47:55 -07:00
pcmcia [ARM] 5458/1: pcmcia: pxa2xx-sharpsl: check if we do have Scoop config 2009-04-23 23:25:40 +01:00
platform eeepc-laptop: unregister_rfkill_notifier on failure 2009-05-14 11:28:27 -04:00
pnp ACPI: suspend: don't let device _PS3 failure prevent suspend 2009-05-08 00:22:29 -04:00
power Merge git://git.infradead.org/battery-2.6 2009-04-08 17:45:02 -07:00
ps3
rapidio dma-mapping: replace all DMA_32BIT_MASK macro with DMA_BIT_MASK(32) 2009-04-07 08:31:11 -07:00
regulator regulator: Fix default constraints for fixed voltage regulators 2009-04-28 18:58:08 +01:00
rtc rtc: rtc-twl4030 don't mask alarm interrupts on suspend 2009-05-12 14:11:35 -07:00
s390 [SCSI] zfcp: Fix oops when port disappears 2009-04-27 10:07:37 -05:00
sbus sbus: changed ioctls to unlocked 2009-04-14 19:46:19 -07:00
scsi Reduce path_lookup() abuses 2009-05-09 10:49:42 -04:00
serial Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2009-05-15 08:05:02 -07:00
sh sh: intc: Added resume from hibernation support to the intc 2009-04-06 08:55:19 -07:00
sn dma-mapping: replace all DMA_64BIT_MASK macro with DMA_BIT_MASK(64) 2009-04-07 08:31:10 -07:00
spi pxa2xx_spi: prevent panic case setup() fails 2009-05-12 14:11:34 -07:00
ssb
staging Staging: comedi: David doesn't want to get comedi patches 2009-05-08 19:39:28 -07:00
tc
telephony
thermal thermal: fix off-by-1 error in trip point trigger condition 2009-05-14 13:40:53 -04:00
uio UIO: fix specific device driver missing statement for depmod 2009-04-16 16:17:11 -07:00
usb usb-serial: ftdi_sio: fix reference counting of ftdi_private 2009-05-08 19:34:57 -07:00
uwb dma-mapping: replace all DMA_32BIT_MASK macro with DMA_BIT_MASK(32) 2009-04-07 08:31:11 -07:00
video MIPS: gbe: Make needlessly global symbols static in drivers/video/gbefb.c 2009-05-14 13:50:25 +01:00
virtio virtio: fix suspend when using virtio_balloon 2009-04-19 23:14:01 +09:30
w1 mfd: remove DS1WM clock handling 2009-04-05 00:32:22 +02:00
watchdog [ARM] 5460/1: Orion: reduce namespace pollution 2009-04-23 23:25:41 +01:00
xen [IA64] xen_domu_defconfig: fix build issues/warnings 2009-05-05 11:43:13 -07:00
zorro
Kconfig
Makefile V4L/DVB (11561a): move media after i2c 2009-04-29 15:41:13 -03:00