lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 21 Dec 2013 01:36:10 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Salam Noureddine <noureddine@...stanetworks.com>
Cc:	"David S. Miller" <davem@...emloft.net>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	James Morris <jmorris@...ei.org>,
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
	Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org
Subject: Re: [PATCH 1/1] ipv4: arp: Always update neighbour address when a gratuitous arp is received

On Fri, Dec 20, 2013 at 10:59:22AM -0800, Salam Noureddine wrote:
> Gratuitous arp packets are useful in switchover scenarios to update
> client arp tables as quickly as possible. Currently, the mac address
> of a neighbour is only updated after a locktime period has elapsed
> since the last update. In most use cases such delays are unacceptable
> for network admins. Moreover, the "updated" field of the neighbour
> stucture doesn't record the last time the address of a neighbour
> changed but records any change that happens to the neighbour. This is
> clearly a bug since locktime uses that field as meaning "addr_updated".
> With this observation, I was able to perpetuate a stale address by
> sending a stream of gratuitous arp packets spaced less than locktime
> apart.
> 
> Signed-off-by: Salam Noureddine <noureddine@...stanetworks.com>
> ---
>  net/ipv4/arp.c |   10 ++++++++--
>  1 files changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
> index 7808093..6597708 100644
> --- a/net/ipv4/arp.c
> +++ b/net/ipv4/arp.c
> @@ -904,13 +904,19 @@ static int arp_process(struct sk_buff *skb)
>  	if (n) {
>  		int state = NUD_REACHABLE;
>  		int override;
> +		bool is_garp = tip == sip &&
> +			       inet_addr_type(net, sip) == RTN_UNICAST;

Would it make sense to add the following?

				&& arp->arp_op == htons(ARPOP_REQUEST);

Maybe we could also check that target hardware address is the broadcast
address, so we don't accept targetted arp spoofing attempts?

Just extract *tha like we did for sha.

Otherwise I am fine with that.

Thanks,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ