lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 26 Oct 2015 10:19:23 -0400
From:	Tom Herbert <tom@...bertland.com>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>
Cc:	Linux Kernel Network Developers <netdev@...r.kernel.org>,
	Eric Dumazet <edumazet@...gle.com>,
	Vlad Yasevich <vyasevich@...il.com>,
	Benjamin Coddington <bcodding@...hat.com>
Subject: Re: [PATCH net] ipv6: no CHECKSUM_PARTIAL on skbs with extension
 headers and recalc checksum during fragmentation

> We already concluded that drivers do have this problem and not the stack
> above ip6_fragment. The places I am aware of I fixed in this patch. Also
> IPv4 to me seems unaffected, albeit one can certainly clean up the logic
> in net-next.
>
I don't understand why checksum for IP fragments is a driver problem.
When fragments are sent to driver they should never have
CHECKSUM_PARTIAL set (or maybe that is what you are seeing?).

> Do you want to move the skb_checksum_help() check to the front of
> ip_fragment in ipv4 now too?
>
Yes, it seems to me we should never fragment a packets with
CHECKSUM_PARTIAL. This seems to currently be possible in IP output (v4
& v6). I would imagine that we don't see this bug trip (too often?)
because most uses of UDP got through the user space fragmentation
code, and UDP packets sent through kernel path probably don't have a
frag_list so they go through slow path.

Also, as Eric suggested, it looks like your patch is doing two things
(fixing csum/fragmentation and disabling csum_partial for any
extension headers)-- these should be separate patches.

Thanks,
Tom

> My patch fixed the part above ip6_fragment (in ip6_append_data) and made
> sure we don't send out packets with wrong checksums if we get to
> ip6_fragment directly.
>
> Bye,
> Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ