xen-netfront: restore __skb_queue_tail() positioning in xennet_get_re…

…sponses() commit f63c2c2 upstream. The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6f ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mariux64 · Jul 7, 2022 · a74adaf · a74adaf
1 parent 3ebaa2c
commit a74adaf
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
@@ -1094,8 +1094,10 @@ static int xennet_get_responses(struct netfront_queue *queue,
 			}
 		}
 		rcu_read_unlock();
-next:
+
 		__skb_queue_tail(list, skb);
+
+next:
 		if (!(rx->flags & XEN_NETRXF_more_data))
 			break;