• Jesse Brandeburg's avatar
    e1000: enhance frame fragment detection · 40a14dea
    Jesse Brandeburg authored
    Originally From: Neil Horman <nhorman@tuxdriver.com>
    Modified by: Jesse Brandeburg <jesse.brandeburg@intel.com>
    
    Hey all-
    	A security discussion was recently given:
    http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
    And a patch that I submitted awhile back was brought up.  Apparently some of
    their testing revealed that they were able to force a buffer fragment in e1000
    in which the trailing fragment was greater than 4 bytes.  As a result the
    fragment check I introduced failed to detect the fragement and a partial
    invalid frame was passed up into the network stack.  I've written this patch
    to correct it.  I'm in the process of testing it now, but it makes good
    logical sense to me.  Effectively it maintains a per-adapter state variable
    which detects a non-EOP frame, and discards it and subsequent non-EOP frames
    leading up to _and_ _including_ the next positive-EOP frame (as it is by
    definition the last fragment).  This should prevent any and all partial frames
    from entering the network stack from e1000.
    Signed-off-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
    Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
    Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    40a14dea
e1000.h 9.84 KB