Hi, > > @@ -924,7 +926,9 @@ cbq_dequeue_prio(struct Qdisc *sch, int > > cl->xstats.borrows += skb->len; > > #endif > > } > > - q->tx_len = skb->len; > > + q->tx_segs = skb_shinfo(skb)->gso_segs ? : > > + skb_shinfo(skb)->gso_size ? skb->len/skb_shinfo(skb)->gso_size + 1 : 1; > > + q->tx_len = (skb->len - 1)/q->tx_segs + 1; > > This isn't safe for Xen (and potentially other virtualisation > environments) since qdisc code runs before dev_hard_start_xmit > which is where we verify the sanity of gso_segs. So you could > be using some arbitrary value from an untrusted source. > > If you really want to use it, you should test for SKB_GSO_DODGY > on the packet which will be set if gso_segs can't be trusted. Yep, you have a point that some sanity check should be added. I think a simple check would be enough not to crash CBQ as the accurate checking will be done in dev_hard_start_xmit or device drivers. Thanks, Hirokazu Takahashi. - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
