Commit 485c2967d622449f4bbfae305a6fc4e185b5b094
Committed by
David S. Miller
David S. Miller
1 parent
d0ee011f72
Exists in
master
and in
7 other branches
[BRIDGE]: random extra bytes on STP TCN packet
We seem to send 3 extra bytes in a TCN, which will be whatever happens to be on the stack. Thanks to Aji_Srinivas@emc.com for seeing. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 1 additions and 1 deletions Inline Diff
net/bridge/br_stp_bpdu.c
| 1 | /* | 1 | /* |
| 2 | * Spanning tree protocol; BPDU handling | 2 | * Spanning tree protocol; BPDU handling |
| 3 | * Linux ethernet bridge | 3 | * Linux ethernet bridge |
| 4 | * | 4 | * |
| 5 | * Authors: | 5 | * Authors: |
| 6 | * Lennert Buytenhek <buytenh@gnu.org> | 6 | * Lennert Buytenhek <buytenh@gnu.org> |
| 7 | * | 7 | * |
| 8 | * $Id: br_stp_bpdu.c,v 1.3 2001/11/10 02:35:25 davem Exp $ | 8 | * $Id: br_stp_bpdu.c,v 1.3 2001/11/10 02:35:25 davem Exp $ |
| 9 | * | 9 | * |
| 10 | * This program is free software; you can redistribute it and/or | 10 | * This program is free software; you can redistribute it and/or |
| 11 | * modify it under the terms of the GNU General Public License | 11 | * modify it under the terms of the GNU General Public License |
| 12 | * as published by the Free Software Foundation; either version | 12 | * as published by the Free Software Foundation; either version |
| 13 | * 2 of the License, or (at your option) any later version. | 13 | * 2 of the License, or (at your option) any later version. |
| 14 | */ | 14 | */ |
| 15 | 15 | ||
| 16 | #include <linux/kernel.h> | 16 | #include <linux/kernel.h> |
| 17 | #include <linux/netfilter_bridge.h> | 17 | #include <linux/netfilter_bridge.h> |
| 18 | #include <linux/etherdevice.h> | 18 | #include <linux/etherdevice.h> |
| 19 | #include <linux/llc.h> | 19 | #include <linux/llc.h> |
| 20 | #include <net/llc.h> | 20 | #include <net/llc.h> |
| 21 | #include <net/llc_pdu.h> | 21 | #include <net/llc_pdu.h> |
| 22 | #include <asm/unaligned.h> | 22 | #include <asm/unaligned.h> |
| 23 | 23 | ||
| 24 | #include "br_private.h" | 24 | #include "br_private.h" |
| 25 | #include "br_private_stp.h" | 25 | #include "br_private_stp.h" |
| 26 | 26 | ||
| 27 | #define STP_HZ 256 | 27 | #define STP_HZ 256 |
| 28 | 28 | ||
| 29 | #define LLC_RESERVE sizeof(struct llc_pdu_un) | 29 | #define LLC_RESERVE sizeof(struct llc_pdu_un) |
| 30 | 30 | ||
| 31 | static void br_send_bpdu(struct net_bridge_port *p, | 31 | static void br_send_bpdu(struct net_bridge_port *p, |
| 32 | const unsigned char *data, int length) | 32 | const unsigned char *data, int length) |
| 33 | { | 33 | { |
| 34 | struct sk_buff *skb; | 34 | struct sk_buff *skb; |
| 35 | 35 | ||
| 36 | if (!p->br->stp_enabled) | 36 | if (!p->br->stp_enabled) |
| 37 | return; | 37 | return; |
| 38 | 38 | ||
| 39 | skb = dev_alloc_skb(length+LLC_RESERVE); | 39 | skb = dev_alloc_skb(length+LLC_RESERVE); |
| 40 | if (!skb) | 40 | if (!skb) |
| 41 | return; | 41 | return; |
| 42 | 42 | ||
| 43 | skb->dev = p->dev; | 43 | skb->dev = p->dev; |
| 44 | skb->protocol = htons(ETH_P_802_2); | 44 | skb->protocol = htons(ETH_P_802_2); |
| 45 | 45 | ||
| 46 | skb_reserve(skb, LLC_RESERVE); | 46 | skb_reserve(skb, LLC_RESERVE); |
| 47 | memcpy(__skb_put(skb, length), data, length); | 47 | memcpy(__skb_put(skb, length), data, length); |
| 48 | 48 | ||
| 49 | llc_pdu_header_init(skb, LLC_PDU_TYPE_U, LLC_SAP_BSPAN, | 49 | llc_pdu_header_init(skb, LLC_PDU_TYPE_U, LLC_SAP_BSPAN, |
| 50 | LLC_SAP_BSPAN, LLC_PDU_CMD); | 50 | LLC_SAP_BSPAN, LLC_PDU_CMD); |
| 51 | llc_pdu_init_as_ui_cmd(skb); | 51 | llc_pdu_init_as_ui_cmd(skb); |
| 52 | 52 | ||
| 53 | llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr); | 53 | llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr); |
| 54 | 54 | ||
| 55 | NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, | 55 | NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, |
| 56 | dev_queue_xmit); | 56 | dev_queue_xmit); |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | static inline void br_set_ticks(unsigned char *dest, int j) | 59 | static inline void br_set_ticks(unsigned char *dest, int j) |
| 60 | { | 60 | { |
| 61 | unsigned long ticks = (STP_HZ * j)/ HZ; | 61 | unsigned long ticks = (STP_HZ * j)/ HZ; |
| 62 | 62 | ||
| 63 | put_unaligned(htons(ticks), (__be16 *)dest); | 63 | put_unaligned(htons(ticks), (__be16 *)dest); |
| 64 | } | 64 | } |
| 65 | 65 | ||
| 66 | static inline int br_get_ticks(const unsigned char *src) | 66 | static inline int br_get_ticks(const unsigned char *src) |
| 67 | { | 67 | { |
| 68 | unsigned long ticks = ntohs(get_unaligned((__be16 *)src)); | 68 | unsigned long ticks = ntohs(get_unaligned((__be16 *)src)); |
| 69 | 69 | ||
| 70 | return (ticks * HZ + STP_HZ - 1) / STP_HZ; | 70 | return (ticks * HZ + STP_HZ - 1) / STP_HZ; |
| 71 | } | 71 | } |
| 72 | 72 | ||
| 73 | /* called under bridge lock */ | 73 | /* called under bridge lock */ |
| 74 | void br_send_config_bpdu(struct net_bridge_port *p, struct br_config_bpdu *bpdu) | 74 | void br_send_config_bpdu(struct net_bridge_port *p, struct br_config_bpdu *bpdu) |
| 75 | { | 75 | { |
| 76 | unsigned char buf[35]; | 76 | unsigned char buf[35]; |
| 77 | 77 | ||
| 78 | buf[0] = 0; | 78 | buf[0] = 0; |
| 79 | buf[1] = 0; | 79 | buf[1] = 0; |
| 80 | buf[2] = 0; | 80 | buf[2] = 0; |
| 81 | buf[3] = BPDU_TYPE_CONFIG; | 81 | buf[3] = BPDU_TYPE_CONFIG; |
| 82 | buf[4] = (bpdu->topology_change ? 0x01 : 0) | | 82 | buf[4] = (bpdu->topology_change ? 0x01 : 0) | |
| 83 | (bpdu->topology_change_ack ? 0x80 : 0); | 83 | (bpdu->topology_change_ack ? 0x80 : 0); |
| 84 | buf[5] = bpdu->root.prio[0]; | 84 | buf[5] = bpdu->root.prio[0]; |
| 85 | buf[6] = bpdu->root.prio[1]; | 85 | buf[6] = bpdu->root.prio[1]; |
| 86 | buf[7] = bpdu->root.addr[0]; | 86 | buf[7] = bpdu->root.addr[0]; |
| 87 | buf[8] = bpdu->root.addr[1]; | 87 | buf[8] = bpdu->root.addr[1]; |
| 88 | buf[9] = bpdu->root.addr[2]; | 88 | buf[9] = bpdu->root.addr[2]; |
| 89 | buf[10] = bpdu->root.addr[3]; | 89 | buf[10] = bpdu->root.addr[3]; |
| 90 | buf[11] = bpdu->root.addr[4]; | 90 | buf[11] = bpdu->root.addr[4]; |
| 91 | buf[12] = bpdu->root.addr[5]; | 91 | buf[12] = bpdu->root.addr[5]; |
| 92 | buf[13] = (bpdu->root_path_cost >> 24) & 0xFF; | 92 | buf[13] = (bpdu->root_path_cost >> 24) & 0xFF; |
| 93 | buf[14] = (bpdu->root_path_cost >> 16) & 0xFF; | 93 | buf[14] = (bpdu->root_path_cost >> 16) & 0xFF; |
| 94 | buf[15] = (bpdu->root_path_cost >> 8) & 0xFF; | 94 | buf[15] = (bpdu->root_path_cost >> 8) & 0xFF; |
| 95 | buf[16] = bpdu->root_path_cost & 0xFF; | 95 | buf[16] = bpdu->root_path_cost & 0xFF; |
| 96 | buf[17] = bpdu->bridge_id.prio[0]; | 96 | buf[17] = bpdu->bridge_id.prio[0]; |
| 97 | buf[18] = bpdu->bridge_id.prio[1]; | 97 | buf[18] = bpdu->bridge_id.prio[1]; |
| 98 | buf[19] = bpdu->bridge_id.addr[0]; | 98 | buf[19] = bpdu->bridge_id.addr[0]; |
| 99 | buf[20] = bpdu->bridge_id.addr[1]; | 99 | buf[20] = bpdu->bridge_id.addr[1]; |
| 100 | buf[21] = bpdu->bridge_id.addr[2]; | 100 | buf[21] = bpdu->bridge_id.addr[2]; |
| 101 | buf[22] = bpdu->bridge_id.addr[3]; | 101 | buf[22] = bpdu->bridge_id.addr[3]; |
| 102 | buf[23] = bpdu->bridge_id.addr[4]; | 102 | buf[23] = bpdu->bridge_id.addr[4]; |
| 103 | buf[24] = bpdu->bridge_id.addr[5]; | 103 | buf[24] = bpdu->bridge_id.addr[5]; |
| 104 | buf[25] = (bpdu->port_id >> 8) & 0xFF; | 104 | buf[25] = (bpdu->port_id >> 8) & 0xFF; |
| 105 | buf[26] = bpdu->port_id & 0xFF; | 105 | buf[26] = bpdu->port_id & 0xFF; |
| 106 | 106 | ||
| 107 | br_set_ticks(buf+27, bpdu->message_age); | 107 | br_set_ticks(buf+27, bpdu->message_age); |
| 108 | br_set_ticks(buf+29, bpdu->max_age); | 108 | br_set_ticks(buf+29, bpdu->max_age); |
| 109 | br_set_ticks(buf+31, bpdu->hello_time); | 109 | br_set_ticks(buf+31, bpdu->hello_time); |
| 110 | br_set_ticks(buf+33, bpdu->forward_delay); | 110 | br_set_ticks(buf+33, bpdu->forward_delay); |
| 111 | 111 | ||
| 112 | br_send_bpdu(p, buf, 35); | 112 | br_send_bpdu(p, buf, 35); |
| 113 | } | 113 | } |
| 114 | 114 | ||
| 115 | /* called under bridge lock */ | 115 | /* called under bridge lock */ |
| 116 | void br_send_tcn_bpdu(struct net_bridge_port *p) | 116 | void br_send_tcn_bpdu(struct net_bridge_port *p) |
| 117 | { | 117 | { |
| 118 | unsigned char buf[4]; | 118 | unsigned char buf[4]; |
| 119 | 119 | ||
| 120 | buf[0] = 0; | 120 | buf[0] = 0; |
| 121 | buf[1] = 0; | 121 | buf[1] = 0; |
| 122 | buf[2] = 0; | 122 | buf[2] = 0; |
| 123 | buf[3] = BPDU_TYPE_TCN; | 123 | buf[3] = BPDU_TYPE_TCN; |
| 124 | br_send_bpdu(p, buf, 7); | 124 | br_send_bpdu(p, buf, 4); |
| 125 | } | 125 | } |
| 126 | 126 | ||
| 127 | /* | 127 | /* |
| 128 | * Called from llc. | 128 | * Called from llc. |
| 129 | * | 129 | * |
| 130 | * NO locks, but rcu_read_lock (preempt_disabled) | 130 | * NO locks, but rcu_read_lock (preempt_disabled) |
| 131 | */ | 131 | */ |
| 132 | int br_stp_rcv(struct sk_buff *skb, struct net_device *dev, | 132 | int br_stp_rcv(struct sk_buff *skb, struct net_device *dev, |
| 133 | struct packet_type *pt, struct net_device *orig_dev) | 133 | struct packet_type *pt, struct net_device *orig_dev) |
| 134 | { | 134 | { |
| 135 | const struct llc_pdu_un *pdu = llc_pdu_un_hdr(skb); | 135 | const struct llc_pdu_un *pdu = llc_pdu_un_hdr(skb); |
| 136 | const unsigned char *dest = eth_hdr(skb)->h_dest; | 136 | const unsigned char *dest = eth_hdr(skb)->h_dest; |
| 137 | struct net_bridge_port *p = rcu_dereference(dev->br_port); | 137 | struct net_bridge_port *p = rcu_dereference(dev->br_port); |
| 138 | struct net_bridge *br; | 138 | struct net_bridge *br; |
| 139 | const unsigned char *buf; | 139 | const unsigned char *buf; |
| 140 | 140 | ||
| 141 | if (!p) | 141 | if (!p) |
| 142 | goto err; | 142 | goto err; |
| 143 | 143 | ||
| 144 | if (pdu->ssap != LLC_SAP_BSPAN | 144 | if (pdu->ssap != LLC_SAP_BSPAN |
| 145 | || pdu->dsap != LLC_SAP_BSPAN | 145 | || pdu->dsap != LLC_SAP_BSPAN |
| 146 | || pdu->ctrl_1 != LLC_PDU_TYPE_U) | 146 | || pdu->ctrl_1 != LLC_PDU_TYPE_U) |
| 147 | goto err; | 147 | goto err; |
| 148 | 148 | ||
| 149 | if (!pskb_may_pull(skb, 4)) | 149 | if (!pskb_may_pull(skb, 4)) |
| 150 | goto err; | 150 | goto err; |
| 151 | 151 | ||
| 152 | /* compare of protocol id and version */ | 152 | /* compare of protocol id and version */ |
| 153 | buf = skb->data; | 153 | buf = skb->data; |
| 154 | if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0) | 154 | if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0) |
| 155 | goto err; | 155 | goto err; |
| 156 | 156 | ||
| 157 | br = p->br; | 157 | br = p->br; |
| 158 | spin_lock(&br->lock); | 158 | spin_lock(&br->lock); |
| 159 | 159 | ||
| 160 | if (p->state == BR_STATE_DISABLED | 160 | if (p->state == BR_STATE_DISABLED |
| 161 | || !br->stp_enabled | 161 | || !br->stp_enabled |
| 162 | || !(br->dev->flags & IFF_UP)) | 162 | || !(br->dev->flags & IFF_UP)) |
| 163 | goto out; | 163 | goto out; |
| 164 | 164 | ||
| 165 | if (compare_ether_addr(dest, br->group_addr) != 0) | 165 | if (compare_ether_addr(dest, br->group_addr) != 0) |
| 166 | goto out; | 166 | goto out; |
| 167 | 167 | ||
| 168 | buf = skb_pull(skb, 3); | 168 | buf = skb_pull(skb, 3); |
| 169 | 169 | ||
| 170 | if (buf[0] == BPDU_TYPE_CONFIG) { | 170 | if (buf[0] == BPDU_TYPE_CONFIG) { |
| 171 | struct br_config_bpdu bpdu; | 171 | struct br_config_bpdu bpdu; |
| 172 | 172 | ||
| 173 | if (!pskb_may_pull(skb, 32)) | 173 | if (!pskb_may_pull(skb, 32)) |
| 174 | goto out; | 174 | goto out; |
| 175 | 175 | ||
| 176 | buf = skb->data; | 176 | buf = skb->data; |
| 177 | bpdu.topology_change = (buf[1] & 0x01) ? 1 : 0; | 177 | bpdu.topology_change = (buf[1] & 0x01) ? 1 : 0; |
| 178 | bpdu.topology_change_ack = (buf[1] & 0x80) ? 1 : 0; | 178 | bpdu.topology_change_ack = (buf[1] & 0x80) ? 1 : 0; |
| 179 | 179 | ||
| 180 | bpdu.root.prio[0] = buf[2]; | 180 | bpdu.root.prio[0] = buf[2]; |
| 181 | bpdu.root.prio[1] = buf[3]; | 181 | bpdu.root.prio[1] = buf[3]; |
| 182 | bpdu.root.addr[0] = buf[4]; | 182 | bpdu.root.addr[0] = buf[4]; |
| 183 | bpdu.root.addr[1] = buf[5]; | 183 | bpdu.root.addr[1] = buf[5]; |
| 184 | bpdu.root.addr[2] = buf[6]; | 184 | bpdu.root.addr[2] = buf[6]; |
| 185 | bpdu.root.addr[3] = buf[7]; | 185 | bpdu.root.addr[3] = buf[7]; |
| 186 | bpdu.root.addr[4] = buf[8]; | 186 | bpdu.root.addr[4] = buf[8]; |
| 187 | bpdu.root.addr[5] = buf[9]; | 187 | bpdu.root.addr[5] = buf[9]; |
| 188 | bpdu.root_path_cost = | 188 | bpdu.root_path_cost = |
| 189 | (buf[10] << 24) | | 189 | (buf[10] << 24) | |
| 190 | (buf[11] << 16) | | 190 | (buf[11] << 16) | |
| 191 | (buf[12] << 8) | | 191 | (buf[12] << 8) | |
| 192 | buf[13]; | 192 | buf[13]; |
| 193 | bpdu.bridge_id.prio[0] = buf[14]; | 193 | bpdu.bridge_id.prio[0] = buf[14]; |
| 194 | bpdu.bridge_id.prio[1] = buf[15]; | 194 | bpdu.bridge_id.prio[1] = buf[15]; |
| 195 | bpdu.bridge_id.addr[0] = buf[16]; | 195 | bpdu.bridge_id.addr[0] = buf[16]; |
| 196 | bpdu.bridge_id.addr[1] = buf[17]; | 196 | bpdu.bridge_id.addr[1] = buf[17]; |
| 197 | bpdu.bridge_id.addr[2] = buf[18]; | 197 | bpdu.bridge_id.addr[2] = buf[18]; |
| 198 | bpdu.bridge_id.addr[3] = buf[19]; | 198 | bpdu.bridge_id.addr[3] = buf[19]; |
| 199 | bpdu.bridge_id.addr[4] = buf[20]; | 199 | bpdu.bridge_id.addr[4] = buf[20]; |
| 200 | bpdu.bridge_id.addr[5] = buf[21]; | 200 | bpdu.bridge_id.addr[5] = buf[21]; |
| 201 | bpdu.port_id = (buf[22] << 8) | buf[23]; | 201 | bpdu.port_id = (buf[22] << 8) | buf[23]; |
| 202 | 202 | ||
| 203 | bpdu.message_age = br_get_ticks(buf+24); | 203 | bpdu.message_age = br_get_ticks(buf+24); |
| 204 | bpdu.max_age = br_get_ticks(buf+26); | 204 | bpdu.max_age = br_get_ticks(buf+26); |
| 205 | bpdu.hello_time = br_get_ticks(buf+28); | 205 | bpdu.hello_time = br_get_ticks(buf+28); |
| 206 | bpdu.forward_delay = br_get_ticks(buf+30); | 206 | bpdu.forward_delay = br_get_ticks(buf+30); |
| 207 | 207 | ||
| 208 | br_received_config_bpdu(p, &bpdu); | 208 | br_received_config_bpdu(p, &bpdu); |
| 209 | } | 209 | } |
| 210 | 210 | ||
| 211 | else if (buf[0] == BPDU_TYPE_TCN) { | 211 | else if (buf[0] == BPDU_TYPE_TCN) { |
| 212 | br_received_tcn_bpdu(p); | 212 | br_received_tcn_bpdu(p); |
| 213 | } | 213 | } |
| 214 | out: | 214 | out: |
| 215 | spin_unlock(&br->lock); | 215 | spin_unlock(&br->lock); |
| 216 | err: | 216 | err: |
| 217 | kfree_skb(skb); | 217 | kfree_skb(skb); |
| 218 | return 0; | 218 | return 0; |
| 219 | } | 219 | } |
| 220 | 220 |