xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The commit referenced below moved the invocation past the "next" label,
without any explanation. In fact this allows misbehaving backends undue
control over the domain the frontend runs in, as earlier detected errors
require the skb to not be freed (it may be retained for later processing
via xennet_move_rx_slot(), or it may simply be unsafe to have it freed).

This is CVE-2022-33743 / XSA-405.

Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>

authored by

Jan Beulich and committed by

Juergen Gross 3 years ago f63c2c20 2400617d

+3 -1

1 changed file

expand all

drivers

net

xen-netfront.c

+3 -1

drivers/net/xen-netfront.c

··· 1092 1092 } 1093 1093 } 1094 1094 rcu_read_unlock(); 1095 - next: 1095 + 1096 1096 __skb_queue_tail(list, skb); 1097 + 1098 + next: 1097 1099 if (!(rx->flags & XEN_NETRXF_more_data)) 1098 1100 break; 1099 1101