lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 01 May 2017 14:53:26 -0400 (EDT)
From:   David Miller <davem@...emloft.net>
To:     kraigatgoog@...il.com
Cc:     yoshfuji@...ux-ipv6.org, kuznet@....inr.ac.ru,
        netdev@...r.kernel.org
Subject: Re: [PATCH v2 net-next] ip6_tunnel: Fix missing tunnel
 encapsulation limit option

From: Craig Gallek <kraigatgoog@...il.com>
Date: Wed, 26 Apr 2017 14:37:45 -0400

> From: Craig Gallek <cgallek@...gle.com>
> 
> The IPv6 tunneling code tries to insert IPV6_TLV_TNL_ENCAP_LIMIT and
> IPV6_TLV_PADN options when an encapsulation limit is defined (the
> default is a limit of 4).  An MTU adjustment is done to account for
> these options as well.  However, the options are never present in the
> generated packets.
> 
> The issue appears to be a subtlety between IPV6_DSTOPTS and
> IPV6_RTHDRDSTOPTS defined in RFC 3542.  When the IPIP tunnel driver was
> written, the encap limit options were included as IPV6_RTHDRDSTOPTS in
> dst0opt of struct ipv6_txoptions.  Later, ipv6_push_nfrags_opts was
> (correctly) updated to require IPV6_RTHDR options when IPV6_RTHDRDSTOPTS
> are to be used.  This caused the options to no longer be included in v6
> encapsulated packets.
> 
> The fix is to use IPV6_DSTOPTS (in dst1opt of struct ipv6_txoptions)
> instead.  IPV6_DSTOPTS do not have the additional IPV6_RTHDR requirement.
> 
> Fixes: 1df64a8569c7: ("[IPV6]: Add ip6ip6 tunnel driver.")
> Fixes: 333fad5364d6: ("[IPV6]: Support several new sockopt / ancillary data in Advanced API (RFC3542)")
> Signed-off-by: Craig Gallek <kraig@...gle.com>
> ---
> 
> v2: Change tunnel code to use dst1opt rather than making the checks for
>     dst0opt more permissive.

Thanks for the detailed analysis in the commit message, this made reviewing
your patch a lot easier.

Applied, thank you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ