On Mon, 2013-09-30 at 20:25 +1000, Kris Shannon wrote: > I was eagerly awating the release of linux-2.6_2.6.32-48squeeze4 > because it would fix #701744 (fallout from XSA-39: Linux netback DoS > via malicious guest ring) > > > It turns out I should have read the bug report more closely. > > #701744 was only about the xen-netback side of things. > > > I haven't been able to find a debian bug about the REAL bug - the > xen-netfront gso overflow. > > > Upstream have patched this: > http://git.kernel.org/linus/9ecd1a75d977e2e8c48139c7d3efed183f898d94 > > "netfront: reduce gso_max_size to account for max TCP header" > > > Is this likely to go into a squeeze kernel?
Maybe. Ian, is this going to be possible to backport? > The xen environment I'm running these squeeze VM's in is running on > CentOS dom0's and Redhat have closed the visible bugs I can find on > this as "Not a bug" :( Right, the over-64K skbs are very definitely a netfront bug and it is correct for dom0 to reject them from an unpatched guest. As a temporary workaround I think that turning off TSO on netfront would avoid the problem, but it will reduce network TX performance. Ben. -- Ben Hutchings I haven't lost my mind; it's backed up on tape somewhere.
signature.asc
Description: This is a digitally signed message part
