On Wed, Nov 28, 2018 at 3:50 PM Eric Dumazet <eduma...@google.com> wrote: > > On Wed, Nov 28, 2018 at 2:16 PM Cong Wang <xiyou.wangc...@gmail.com> wrote: > > > > On Wed, Nov 28, 2018 at 7:00 AM Eric Dumazet <eduma...@google.com> wrote: > > > > > > Nice packet of death alert. > > > > > > pad_len can be 0xFFFFFF67 here, if frame_len is smaller than pad_offset. > > > > Unless IP header is malformed, how could it be? > > This is totally something an attacker can forge.
Of course, as in the email I sent to mellanox guys,__vlan_get_protocol() could _literately_ exhaust all skb->len. If no sufficient skb tail room, we could even possibly crash. But again, I kinda feel the hardware already does the sanity check, otherwise we have much more serious trouble in mlx5e_lro_update_hdr() which parses into TCP header. Thanks.
