linux-stable.git/drivers/firewire/net.c, branch linux-3.2.y Linux kernel stable tree firewire: net: fix fragmented datagram_size off-by-one 2017-02-23T03:50:58+00:00 Stefan Richter stefanr@s5r6.in-berlin.de 2016-10-30T16:32:01+00:00 1367cf34e7be7e5dedd68e597438e9d024a1f268 commit e9300a4b7bbae83af1f7703938c94cf6dc6d308f upstream. RFC 2734 defines the datagram_size field in fragment encapsulation headers thus: datagram_size: The encoded size of the entire IP datagram. The value of datagram_size [...] SHALL be one less than the value of Total Length in the datagram's IP header (see STD 5, RFC 791). Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got this field with a -/+1 offset: ether1394_tx() /* transmit */ ether1394_encapsulate_prep() hdr->ff.dg_size = dg_size - 1; ether1394_data_handler() /* receive */ if (hdr->common.lf == ETH1394_HDR_LF_FF) dg_size = hdr->ff.dg_size + 1; else dg_size = hdr->sf.dg_size + 1; Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500 byte sized datagrams in fragments with datagram_size=1499 if link fragmentation is required. Only firewire-net sets and gets datagram_size without this offset. The result is lacking interoperability of firewire-net with OS X, Windows XP, and presumably Linux' eth1394. (I did not test with the latter.) For example, FTP data transfers to a Linux firewire-net box with max_rec smaller than the 1500 bytes MTU - from OS X fail entirely, - from Win XP start out with a bunch of fragmented datagrams which time out, then continue with unfragmented datagrams because Win XP temporarily reduces the MTU to 576 bytes. So let's fix firewire-net's datagram_size accessors. Note that firewire-net thereby loses interoperability with unpatched firewire-net, but only if link fragmentation is employed. (This happens with large broadcast datagrams, and with large datagrams on several FireWire CardBus cards with smaller max_rec than equivalent PCI cards, and it can be worked around by setting a small enough MTU.) Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit e9300a4b7bbae83af1f7703938c94cf6dc6d308f upstream.

RFC 2734 defines the datagram_size field in fragment encapsulation
headers thus:

    datagram_size:  The encoded size of the entire IP datagram.  The
    value of datagram_size [...] SHALL be one less than the value of
    Total Length in the datagram's IP header (see STD 5, RFC 791).

Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got
this field with a -/+1 offset:

    ether1394_tx() /* transmit */
        ether1394_encapsulate_prep()
            hdr->ff.dg_size = dg_size - 1;

    ether1394_data_handler() /* receive */
        if (hdr->common.lf == ETH1394_HDR_LF_FF)
            dg_size = hdr->ff.dg_size + 1;
        else
            dg_size = hdr->sf.dg_size + 1;

Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500
byte sized datagrams in fragments with datagram_size=1499 if link
fragmentation is required.

Only firewire-net sets and gets datagram_size without this offset.  The
result is lacking interoperability of firewire-net with OS X, Windows
XP, and presumably Linux' eth1394.  (I did not test with the latter.)
For example, FTP data transfers to a Linux firewire-net box with max_rec
smaller than the 1500 bytes MTU
  - from OS X fail entirely,
  - from Win XP start out with a bunch of fragmented datagrams which
    time out, then continue with unfragmented datagrams because Win XP
    temporarily reduces the MTU to 576 bytes.

So let's fix firewire-net's datagram_size accessors.

Note that firewire-net thereby loses interoperability with unpatched
firewire-net, but only if link fragmentation is employed.  (This happens
with large broadcast datagrams, and with large datagrams on several
FireWire CardBus cards with smaller max_rec than equivalent PCI cards,
and it can be worked around by setting a small enough MTU.)

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
firewire: net: guard against rx buffer overflows 2016-11-20T01:01:43+00:00 Stefan Richter stefanr@s5r6.in-berlin.de 2016-10-29T19:28:18+00:00 4538dfea79538a98e1468088b05627f82ac69789 commit 667121ace9dbafb368618dbabcf07901c962ddac upstream. The IP-over-1394 driver firewire-net lacked input validation when handling incoming fragmented datagrams. A maliciously formed fragment with a respectively large datagram_offset would cause a memcpy past the datagram buffer. So, drop any packets carrying a fragment with offset + length larger than datagram_size. In addition, ensure that - GASP header, unfragmented encapsulation header, or fragment encapsulation header actually exists before we access it, - the encapsulated datagram or fragment is of nonzero size. Reported-by: Eyal Itkin <eyal.itkin@gmail.com> Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com> Fixes: CVE 2016-8633 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> [bwh: Backported to 3.2: fwnet_receive_broadcast() never matches IPv6 packets] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.

The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams.  A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
  - GASP header, unfragmented encapsulation header, or fragment
    encapsulation header actually exists before we access it,
  - the encapsulated datagram or fragment is of nonzero size.

Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[bwh: Backported to 3.2: fwnet_receive_broadcast() never matches IPv6 packets]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
firewire: net: Fix handling of fragmented multicast/broadcast packets. 2013-01-03T03:33:24+00:00 Stephan Gatzka stephan.gatzka@gmail.com 2012-11-28T19:04:32+00:00 c14e119fb971506913bbbb8709c85f7716f97c3f commit 9d2373420900a39f5212a3b289331aa3535b1000 upstream. This patch fixes both the transmit and receive portion of sending fragmented mutlicast and broadcast packets. The transmit section was broken because the offset for INTFRAG and LASTFRAG packets were just miscalculated by IEEE1394_GASP_HDR_SIZE (which was reserved with skb_push() in fwnet_send_packet). The receive section was broken because in fwnet_incoming_packet is a call to fwnet_peer_find_by_node_id(). Called with generation == -1 it will not find a peer and the partial datagrams are associated to a peer. [Stefan R: The fix to use context->card->generation is not perfect. It relies on the IR tasklet which processes packets from the prior bus generation to run before the self-ID-complete worklet which sets the current card generation. Alas, there is no simple way of a race-free implementation. Let's do it this way for now.] Signed-off-by: Stephan Gatzka <stephan.gatzka@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 9d2373420900a39f5212a3b289331aa3535b1000 upstream.

This patch fixes both the transmit and receive portion of sending
fragmented mutlicast and broadcast packets.

The transmit section was broken because the offset for INTFRAG and
LASTFRAG packets were just miscalculated by IEEE1394_GASP_HDR_SIZE (which
was reserved with skb_push() in fwnet_send_packet).

The receive section was broken because in fwnet_incoming_packet is a call
to fwnet_peer_find_by_node_id(). Called with generation == -1 it will
not find a peer and the partial datagrams are associated to a peer.

[Stefan R:  The fix to use context->card->generation is not perfect.
It relies on the IR tasklet which processes packets from the prior bus
generation to run before the self-ID-complete worklet which sets the
current card generation.  Alas, there is no simple way of a race-free
implementation.  Let's do it this way for now.]

Signed-off-by: Stephan Gatzka <stephan.gatzka@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
firewire: net: Use posted writes 2011-10-09T15:00:18+00:00 Stephan Gatzka stephan@gatzka.org 2011-09-26T19:44:30+00:00 a74477db9171e677b7a37b89e6e0ac8a15ba1f26 Change memory region to ohci "middle address space". This effectively reduces the number of packets by 50%. [Stefan R.:] This eliminates 1394 ack packets and improved throughput by a few percent in some tests with an S400a connection with and without gap count optimization. Since firewire-net taxes the AR-req DMA unit of a FireWire controller much more than firewire-sbp2 (which uses the middle address space with PCI posted writes too), this commit also changes a related error printk into a ratelimited one as a precaution. Side note: The IPv4-over-1394 drivers of Mac OS X 10.4, Windows XP SP3, and the Thesycon 1394 bus driver for Windows all use the middle address space too. Signed-off-by: Stephan Gatzka <stephan@gatzka.org> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Change memory region to ohci "middle address space". This effectively
reduces the number of packets by 50%.

[Stefan R.:]  This eliminates 1394 ack packets and improved throughput
by a few percent in some tests with an S400a connection with and without
gap count optimization.  Since firewire-net taxes the AR-req DMA unit of
a FireWire controller much more than firewire-sbp2 (which uses the
middle address space with PCI posted writes too), this commit also
changes a related error printk into a ratelimited one as a precaution.

Side note:  The IPv4-over-1394 drivers of Mac OS X 10.4, Windows XP SP3,
and the Thesycon 1394 bus driver for Windows all use the middle address
space too.

Signed-off-by: Stephan Gatzka <stephan@gatzka.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: use clamp and min3 macros 2011-10-09T15:00:18+00:00 Stefan Richter stefanr@s5r6.in-berlin.de 2011-09-18T22:20:48+00:00 4ec4a67aa100268b4ac5ae32b54843d975969969 Use kernel.h's convenience macros. Also omit a printk that should never happen and won't matter much if it ever happened. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Use kernel.h's convenience macros.  Also omit a printk that should never
happen and won't matter much if it ever happened.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2011-07-22T21:49:48+00:00 Linus Torvalds torvalds@linux-foundation.org 2011-07-22T21:49:48+00:00 441c196e84b11aad3123baa9320eee7abc6b5c98 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: document the sysfs ABIs firewire: cdev: ABI documentation enhancements firewire: cdev: prevent race between first get_info ioctl and bus reset event queuing firewire: cdev: return -ENOTTY for unimplemented ioctls, not -EINVAL firewire: ohci: skip soft reset retries after card ejection firewire: ohci: fix PHY reg access after card ejection firewire: ohci: add a comment on PHY reg access serialization firewire: ohci: reduce potential context_stop latency firewire: ohci: remove superfluous posted write flushes firewire: net: replacing deprecated __attribute__((packed)) with __packed 
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: document the sysfs ABIs
  firewire: cdev: ABI documentation enhancements
  firewire: cdev: prevent race between first get_info ioctl and bus reset event queuing
  firewire: cdev: return -ENOTTY for unimplemented ioctls, not -EINVAL
  firewire: ohci: skip soft reset retries after card ejection
  firewire: ohci: fix PHY reg access after card ejection
  firewire: ohci: add a comment on PHY reg access serialization
  firewire: ohci: reduce potential context_stop latency
  firewire: ohci: remove superfluous posted write flushes
  firewire: net: replacing deprecated __attribute__((packed)) with __packed
net: Push protocol type directly down to header_ops->cache() 2011-07-13T09:29:59+00:00 David S. Miller davem@davemloft.net 2011-07-13T06:28:12+00:00 e69dd336ee3a05a589629b505b18ba5e7a5b4c54 Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: David S. Miller <davem@davemloft.net>
firewire: net: replacing deprecated __attribute__((packed)) with __packed 2011-06-02T11:58:33+00:00 August Lilleaas august@augustl.com 2011-05-29T17:07:19+00:00 bf337b15c28ae25904a73e7e2e0de2f9c4f0e9f8 Fixing a deprecation, replacing __attribute__((packed)) with __packed. It was deprecated for portability, specifically to avoid GCC specific code. See commit 82ddcb040570411fc2d421d96b3e69711c670328. Signed-off-by: August Lilleaas <august@augustl.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (added include compiler.h) 
Fixing a deprecation, replacing __attribute__((packed)) with __packed.
It was deprecated for portability, specifically to avoid GCC specific
code.  See commit 82ddcb040570411fc2d421d96b3e69711c670328.

Signed-off-by: August Lilleaas <august@augustl.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (added include compiler.h)
firewire: optimize iso queueing by setting wake only after the last packet 2011-05-10T20:53:45+00:00 Clemens Ladisch clemens@ladisch.de 2011-05-02T07:33:56+00:00 13882a82ee1646336c3996c93b4a560a55d2a419 When queueing iso packets, the run time is dominated by the two MMIO accesses that set the DMA context's wake bit. Because most drivers submit packets in batches, we can save much time by removing all but the last wakeup. The internal kernel API is changed to require a call to fw_iso_context_queue_flush() after a batch of queued packets. The user space API does not change, so one call to FW_CDEV_IOC_QUEUE_ISO must specify multiple packets to take advantage of this optimization. In my measurements, this patch reduces the time needed to queue fifty skip packets from userspace to one sixth on a 2.5 GHz CPU, or to one third at 800 MHz. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
When queueing iso packets, the run time is dominated by the two
MMIO accesses that set the DMA context's wake bit.  Because most
drivers submit packets in batches, we can save much time by
removing all but the last wakeup.

The internal kernel API is changed to require a call to
fw_iso_context_queue_flush() after a batch of queued packets.
The user space API does not change, so one call to
FW_CDEV_IOC_QUEUE_ISO must specify multiple packets to take
advantage of this optimization.

In my measurements, this patch reduces the time needed to queue
fifty skip packets from userspace to one sixth on a 2.5 GHz CPU,
or to one third at 800 MHz.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Fix common misspellings 2011-03-31T14:26:23+00:00 Lucas De Marchi lucas.demarchi@profusion.mobi 2011-03-31T01:57:33+00:00 25985edcedea6396277003854657b5f3cb31a628 Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi> 
Fixes generated by 'codespell' and manually reviewed.

Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>