lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Mar 2016 11:24:59 +0100 From: Steffen Klassert <steffen.klassert@...unet.com> To: Jiri Bohac <jbohac@...e.cz> CC: Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, <netdev@...r.kernel.org> Subject: Re: [PATCH] xfrm: don't segment UFO packets On Thu, Mar 17, 2016 at 10:41:15AM +0100, Jiri Bohac wrote: > On Thu, Mar 17, 2016 at 01:03:59PM +0800, Herbert Xu wrote: > > On Wed, Mar 16, 2016 at 05:00:26PM +0100, Jiri Bohac wrote: > > > Prevent xfrm_output() from segmenting UFO packets so that they will be > > > fragmented after the xfrm transforms. > > > > Fair enough. But I wonder if this is enough. Wouldn't UDP notice > > that we're doing IPsec and prefragment the packet anyway? So I think > > this check may also be needed in the UDP output path. > > Fixes my broken case. Is this IPv4 or IPv6? IPv4 should not create a GSO skb if IPsec is done. It checks for rt->dst.header_len in __ip_append_data() and does a fallback to the standard case if rt->dst.header_len is non zero. In IPv6 this check is missing, so this could be the problem if this is IPv6.
Powered by blists - more mailing lists