On Wed, Nov 28, 2018 at 3:50 PM Eric Dumazet [off-list ref] wrote:

On Wed, Nov 28, 2018 at 2:16 PM Cong Wang [off-list ref] wrote:

quoted

On Wed, Nov 28, 2018 at 7:00 AM Eric Dumazet [off-list ref] wrote:

quoted

Nice packet of death alert.

pad_len can be 0xFFFFFF67  here, if frame_len is smaller than pad_offset.

Unless IP header is malformed, how could it be?

This is totally something an attacker can forge.

Of course, as in the email I sent to mellanox guys,__vlan_get_protocol()
could _literately_ exhaust all skb->len. If no sufficient skb tail room,
we could even possibly crash.

But again, I kinda feel the hardware already does the sanity check,
otherwise we have much more serious trouble in mlx5e_lro_update_hdr()
which parses into TCP header.

Thanks.