lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Sep 2010 12:49:41 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: Bandan Das <bandan.das@...atus.com> Cc: bunk@...nel.org, Eric Dumazet <eric.dumazet@...il.com>, David Miller <davem@...emloft.net>, NetDev <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, Patrick McHardy <kaber@...sh.net> Subject: Re: [PATCH net-next-2.6] net/ipv4: push IP options to CB in ip_fragment On Wed, Sep 01, 2010 at 12:57:43PM -0400, Bandan Das wrote: > > diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c > index 2c911c0..de44271 100644 > --- a/net/bridge/br_netfilter.c > +++ b/net/bridge/br_netfilter.c > @@ -759,9 +759,21 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb, > #if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE) > static int br_nf_dev_queue_xmit(struct sk_buff *skb) > { > + struct ip_options *opt; > + struct iphdr *iph; > + struct net_device *dev = skb->dev; > + > if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) && > skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu && > - !skb_is_gso(skb)) > + !skb_is_gso(skb)) { > + iph = ip_hdr(skb); > + opt = &(IPCB(skb)->opt); > + opt->optlen = iph->ihl*4 - sizeof(struct iphdr); > + if (ip_options_compile(dev_net(dev), opt, skb)){ > + IP_INC_STATS(dev_net(dev), IPSTATS_MIB_INHDRERRORS); > + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); > + } > + } 1. Only parse options if ihl > 5. 2. Please audit the IP stack to ensure that this does not mangle the packet. We should not write to the packet here. 3. Please check whether SRR is handled correctly (see ip_rcv_options). This should go into a helper function as this isn't the only entry point from the bridge into the IP stack. Also it may be worth considering whether we should replace ip_fragment here with something that only refragments a frag_list since the only time we want to fragment here is if we reassembled an IP datagram due to netfilter. Thanks, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists