From: Neil Horman <nhorman@redhat.com> Date: Thu, 14 Jan 2010 15:31:48 -0500 Subject: [net] e1000: fix rx length check errors Bugzilla: 550915 CVE: CVE-2009-4536 Hey all- A recent security conference unveiled an exploit in the e1000 driver. I've written the following patches, and am in the process of testing them. Since its the holidays though I figured I should post these here now in case any customers call in about this issues. Upstream discussions can be followed here: http://marc.info/?l=linux-netdev&m=126203101730472&w=2 Satisfies bz 550915. diff --git a/drivers/net/e1000/e1000.h b/drivers/net/e1000/e1000.h index c6250c2..fa3e855 100644 --- a/drivers/net/e1000/e1000.h +++ b/drivers/net/e1000/e1000.h @@ -358,7 +358,8 @@ struct e1000_adapter { enum e1000_state_t { __E1000_TESTING, __E1000_RESETTING, - __E1000_DOWN + __E1000_DOWN, + __E1000_DISCARDING }; extern char e1000_driver_name[]; diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c index cb5b9bd..edd9fd4 100644 --- a/drivers/net/e1000/e1000_main.c +++ b/drivers/net/e1000/e1000_main.c @@ -4233,15 +4233,21 @@ e1000_clean_rx_irq(struct e1000_adapter *adapter, length = le16_to_cpu(rx_desc->length); - if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) { + if (unlikely(!(status & E1000_RXD_STAT_EOP))) + set_bit(__E1000_DISCARDING, &adapter->flags); + + if (test_bit(__E1000_DISCARDING, &adapter->flags)) { /* All receives must fit into a single buffer */ E1000_DBG("%s: Receive packet consumed multiple" " buffers\n", netdev->name); /* recycle */ buffer_info->skb = skb; + if (status & E1000_RXD_STAT_EOP) + clear_bit(__E1000_DISCARDING, &adapter->flags); goto next_desc; } + if (unlikely(rx_desc->errors & E1000_RXD_ERR_FRAME_ERR_MASK)) { last_byte = *(skb->data + length - 1); if (TBI_ACCEPT(&adapter->hw, status,