| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 01 Oct 2017 03:56:48 +0100 (WEST) From: David Miller <davem@...emloft.net> To: pabeni@...hat.com Cc: netdev@...r.kernel.org Subject: Re: [PATCH net 0/2] udp: fix early demux for mcast packets From: Paolo Abeni <pabeni@...hat.com> Date: Thu, 28 Sep 2017 15:51:35 +0200 > Currently the early demux callbacks do not perform source address validation. > This is not an issue for TCP or UDP unicast, where the early demux > is only allowed for connected sockets and the source address is validated > for the first packet and never change. > > The UDP protocol currently allows early demux also for unconnected multicast > sockets, and we are not currently doing any validation for them, after that > the first packet lands on the socket: beyond ignoring the rp_filter - if > enabled - any kind of martian sources are also allowed. > > This series addresses the issue allowing the early demux callback to return an > error code, and performing the proper checks for unconnected UDP multicast > sockets before leveraging the rx dst cache. > > Alternatively we could disable the early demux for unconnected mcast sockets, > but that would cause relevant performance regression - around 50% - while with > this series, with full rp_filter in place, we keep the regression to a more > moderate level. Series applied and queued up for -stable, thanks.
Powered by blists - more mailing lists