| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Oct 2009 23:34:29 +0200 From: Torsten Schmidt <torsten.schmidt@...06.tu-chemnitz.de> To: Eric Dumazet <eric.dumazet@...il.com> Cc: Linux Netdev List <netdev@...r.kernel.org> Subject: Re: [PATCH] IPv4: skip loopback checksums in ip_rcv() Eric Dumazet: > Torsten Schmidt a écrit : >> Eric Dumazet wrotes: >>> This is bogus IMHO. >>> >>> One bit could be corrupted in iph, and ntohl(iph->daddr) becomes 0x7fxxyyzz, >>> we then accept a bogus frame. This is a RFC violation. >>> >>> This also slows down non loopback devices, adding an extra test. >>> >>> ip_fast_csum() is really fast (about 16 instructions). >> >> Yes, you are right. So it would be better to only skip csum if *dev is >> our loopback interface ? Right ? > > An application could send a bogus IP packet using RAW interface, and we still should > check IP checksum before delivering this packet, even on loopback device. Yes, then we should fix this comment in ip_rcv(): RFC1122: 3.2.1.2 MUST silently discard any IP frame that fails the checksum. Is the datagram acceptable? 1. Length at least the size of an ip header 2. Version of 4 -> 3. Checksums correctly. [Speed optimisation for later, skip loopback checksums] 4. Doesn't have a bogus length Right ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists