lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 30 Oct 2017 10:47:39 +0530
From:   Saurabh Gupta <sbhjnpr@...il.com>
To:     netdev@...r.kernel.org
Subject: Outgoing interface check in icmpv6_echo_reply()

Hi,

I need to add a check in icmp6_echo_reply() to drop any packet that is being
sent using address that is not local to any linux interface. Mostly to avoid
icmpv6 stats registering this packet.

/* Dont send if the address is not found on any device */
ret = ipv6_chk_addr_and_flags(net, saddr, NULL, 0, 0);

Would this be a bad idea? My question is if there are any use cases that may
break by introducing this check or any other good reason why such check is not
there already?

I see a similar check in icmp_reply()->__ip_route_output_key_hash () path,
that accomplishes similar logic:

if (!(fl4->flowi4_flags & FLOWI_FLAG_ANYSRC)) {
    /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
    if (!__ip_dev_find(net, fl4->saddr, false))
        goto out;
}

Any insights here would help.

Thanks
Saurabh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ