[PATCH 1/3] Record and restore skb header marks (v2)

Dan Smith danms at us.ibm.com
Tue Nov 10 10:18:57 PST 2009


Eesh, I just realized I never replied to this mail.  Sorry about
that.

OL> I wonder if the sanity test for mac_len and hdr_len are
OL> sufficient, or whether a more constrained test is required.

Yep, I have it changed now, along with some of the other checks.

OL> The skb->cb holds can be used by any layer to put private
OL> variables.

OL> Can the user mangle the data in there to create a disaster of some
OL> sort ?

OL> If the answer is "it's possible", and because this is per protocol
OL> data, I suggest to add a per-protocol callback to sanitize the
OL> data in this control buffer.

Okay, then my answer is "it could be possible later".  Right now, I
don't think there's anything in there that could be used to do more
harm than any of the other things we restore for TCP.  We don't
restore it for UNIX sockets.

OL> To not block this patchset infinitely, I guess you can put the
OL> details of the sanity check in a separate patch(set). But I prefer
OL> that the current set will at least mention and provision for such
OL> a mechanism.

Indeed.  I've added a lengthy comment to be included in the next
posting to cover it for now.

-- 
Dan Smith
IBM Linux Technology Center
email: danms at us.ibm.com


More information about the Containers mailing list