[ovs-dev] [PATCH] datapath: Avoid null deref when GSO is for verifying header integrity only.

Jesse Gross jesse at nicira.com
Mon Jan 21 22:25:34 UTC 2013


On Mon, Jan 21, 2013 at 10:11 AM, Ben Pfaff <blp at nicira.com> wrote:
> skb_gso_segment() has the following comment:
>
>  *    It may return NULL if the skb requires no segmentation.  This is
>  *    only possible when GSO is used for verifying header integrity.
>
> Somehow queue_gso_packets() has never hit this case before, but some
> failures have suddenly been reported.  This commit should fix the problem.
>
> Bug #14772.
> Reported-by: Deepesh Govindan <dgovindan at vmware.com>.
> Signed-off-by: Ben Pfaff <blp at nicira.com>

Acked-by: Jesse Gross <jesse at nicira.com>

However, I think we also potentially have a similar problem in
tunnel.c:handle_offloads().

> ---
> I don't know how to trigger this condition, so I haven't tested this
> patch beyond verifying that it compiles against the Linux 3.2 kernel
> on which the problem was reported.  The patch was generated against
> branch-1.7 because that's where the problem occurred; it looks like
> it should apply cleanly against master also.

We shouldn't normally be hitting this case because we're actually
trying to do GSO, not header validation.  However, I guess the
guest/backend must be generating a packet with an MSS, which tricks us
into thinking that it's GSO, but no GSO is actually requested.  In the
case of the bridge, header validation does take place so the situation
is handled already.  It seems not ideal that the network backend
doesn't sanitize these packets but it's probably good that we handle
it in any case.

Our behavior here hasn't changed in a long time, I think this should
apply equally to essentially all branches.



More information about the dev mailing list