| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 Dec 2010 01:29:12 +0200
From: "Winkler, Tomas" <tomas.winkler@...el.com>
To: Stephen Hemminger <stephen.hemminger@...tta.com>,
Stephen Hemminger <shemminger@...tta.com>,
Johannes Berg <johannes@...solutions.net>
CC: "davem@...emloft.net" <davem@...emloft.net>,
"netdev@...r.kernel.org " <netdev@...r.kernel.org>,
"linux-wireless@...r.kernel.org " <linux-wireless@...r.kernel.org>
Subject: RE: [PATCH net-2.6] bridge: fix br_multicast_ipv6_rcv for paged skbs
> -----Original Message-----
> From: Stephen Hemminger [mailto:stephen.hemminger@...tta.com]
> Sent: Friday, December 31, 2010 1:06 AM
> To: Winkler, Tomas; Stephen Hemminger; Johannes Berg
> Cc: davem@...emloft.net; netdev@...r.kernel.org ; linux-
> wireless@...r.kernel.org
> Subject: RE: [PATCH net-2.6] bridge: fix br_multicast_ipv6_rcv for paged
> skbs
>
> Although copy is slower for large packets, this is a non performance path.
> The code in question is for bridged multicast Ipv6 ICMP packets. This case
> is so uncritical it could be done in BASIC and no one could possibly care!
>
Fair enough, although you got few of those when you connect to win7 client.
Anyhow my fix would work if the second pull would be
if (!pskb_may_pull(skb2, sizeof(struct mld_msg))) instead of (!pskb_may_pull(skb2, sizeof(*icmp6h)))
Second I think just that non multicast places shouldn't be fixed contrary to my previous suggestion as the
skb_network_header(skb) + offset + 1 - skb->data will give you correct offset to pull up if the network header is not on skb->data.
Thanks
Tomas
> "Winkler, Tomas" <tomas.winkler@...el.com> wrote:
>
> >
> >
> >> -----Original Message-----
> >> From: Stephen Hemminger [mailto:shemminger@...tta.com]
> >> Sent: Thursday, December 30, 2010 9:06 PM
> >> To: Johannes Berg
> >> Cc: Winkler, Tomas; davem@...emloft.net; netdev@...r.kernel.org; linux-
> >> wireless@...r.kernel.org
> >> Subject: Re: [PATCH net-2.6] bridge: fix br_multicast_ipv6_rcv for paged
> >> skbs
> >>
> >> On Thu, 30 Dec 2010 19:52:14 +0100
> >> Johannes Berg <johannes@...solutions.net> wrote:
> >>
> >> > On Thu, 2010-12-30 at 10:46 -0800, Stephen Hemminger wrote:
> >> >
> >> > > This doesn't look correct. The calculation of the offset doesn't look
> >> correct.
> >> > > Just following the skb_clone(), the skb_pull value is "offset".
> >> > > Also, the other checks return -EINVAL for incorrectly formed packet.
> >> > >
> >> > > --- a/net/bridge/br_multicast.c 2010-12-30 10:29:58.579510488 -0800
> >> > > +++ b/net/bridge/br_multicast.c 2010-12-30 10:43:27.273386691 -0800
> >> > > @@ -1464,6 +1464,9 @@ static int br_multicast_ipv6_rcv(struct
> >> > > if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
> >> > > return 0;
> >> > >
> >> > > + if (!pskb_may_pull(skb, offset))
> >> > > + return -EINVAL;
> >> > > +
> >> > > /* Okay, we found ICMPv6 header */
> >> > > skb2 = skb_clone(skb, GFP_ATOMIC);
> >> > > if (!skb2)
> >> >
> >> > Wouldn't that make more sense after the clone anyway? But if you look
> at
> >> > my email, you'll find that there's potentially, and conditionally, more
> >> > stuff that will be read from the skb's header, which hasn't necessarily
> >> > been pulled in, so I think this still won't fix all the issues.
> >> >
> >> > Seeing how this only affects some ICMPv6 packets, maybe we should just
> >> > use skb_copy() instead?
> >>
> >> It comes out cleaner, and the check can be simplified.
> >>
> >> --- a/net/bridge/br_multicast.c 2010-12-30 10:47:12.031733855 -0800
> >> +++ b/net/bridge/br_multicast.c 2010-12-30 11:00:12.135801266 -0800
> >> @@ -1465,19 +1465,19 @@ static int br_multicast_ipv6_rcv(struct
> >> return 0;
> >>
> >> /* Okay, we found ICMPv6 header */
> >> - skb2 = skb_clone(skb, GFP_ATOMIC);
> >> + skb2 = skb_copy(skb, GFP_ATOMIC);
> >> if (!skb2)
> >> return -ENOMEM;
> >>
> >> + err = -EINVAL;
> >> + if (skb2->len < offset + sizeof(*icmp6h))
> >> + goto out;
> >> +
> >> len -= offset - skb_network_offset(skb2);
> >>
> >> __skb_pull(skb2, offset);
> >> skb_reset_transport_header(skb2);
> >>
> >> - err = -EINVAL;
> >> - if (!pskb_may_pull(skb2, sizeof(*icmp6h)))
> >> - goto out;
> >> -
> >> icmp6h = icmp6_hdr(skb2);
> >>
> >> switch (icmp6h->icmp6_type) {
> >>
> >>
> >Sorry for dump question but isn't there performance penalty on using
> skb_copy vs. skb_clone?
> >
> >Anyhow Below is a code snippet from ip6_input.c so you probably would want
> to fix it all over.
> >BTW offset and the pointer arithmetic really gives the same number +1, I'm
> not surly why the original author would thought it be safer than just using
> offset.
> >
> > offset = ipv6_skip_exthdr(skb,
> sizeof(*hdr),
> > &nexthdr);
> > if (offset < 0)
> > goto out;
> >
> > if (nexthdr != IPPROTO_ICMPV6)
> > goto out;
> >
> > if (!pskb_may_pull(skb,
> (skb_network_header(skb) +
> > offset + 1 - skb-
> >data)))
> > goto out;
> >
> > icmp6 = (struct icmp6hdr
> *)(skb_network_header(skb) + offset);
> >
> >
> >
> >Thanks
> >Tomas
> >
> >
> >---------------------------------------------------------------------
> >Intel Israel (74) Limited
> >
> >This e-mail and any attachments may contain confidential material for
> >the sole use of the intended recipient(s). Any review or distribution
> >by others is strictly prohibited. If you are not the intended
> >recipient, please contact the sender and delete all copies.
> >
---------------------------------------------------------------------
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
Powered by blists - more mailing lists