lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 13 Dec 2017 13:52:30 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     cernekee@...omium.org
Cc:     kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org,
        netdev@...r.kernel.org, andrew@...n.ch,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: igmp: Use correct source address on IGMPv3 reports

From: Kevin Cernekee <cernekee@...omium.org>
Date: Mon, 11 Dec 2017 11:13:45 -0800

> Closing a multicast socket after the final IPv4 address is deleted
> from an interface can generate a membership report that uses the
> source IP from a different interface.  The following test script, run
> from an isolated netns, reproduces the issue:
> 
>     #!/bin/bash
> 
>     ip link add dummy0 type dummy
>     ip link add dummy1 type dummy
>     ip link set dummy0 up
>     ip link set dummy1 up
>     ip addr add 10.1.1.1/24 dev dummy0
>     ip addr add 192.168.99.99/24 dev dummy1
> 
>     tcpdump -U -i dummy0 &
>     socat EXEC:"sleep 2" \
>         UDP4-DATAGRAM:239.101.1.68:8889,ip-add-membership=239.0.1.68:10.1.1.1 &
> 
>     sleep 1
>     ip addr del 10.1.1.1/24 dev dummy0
>     sleep 5
>     kill %tcpdump
> 
> RFC 3376 specifies that the report must be sent with a valid IP source
> address from the destination subnet, or from address 0.0.0.0.  Add an
> extra check to make sure this is the case.
> 
> Signed-off-by: Kevin Cernekee <cernekee@...omium.org>
...
> +	return htonl(INADDR_ANY);
> +}
> +
>  static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
>  {
>  	struct sk_buff *skb;
> @@ -368,7 +386,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
>  	pip->frag_off = htons(IP_DF);
>  	pip->ttl      = 1;
>  	pip->daddr    = fl4.daddr;
> -	pip->saddr    = fl4.saddr;
> +	pip->saddr    = igmpv3_get_srcaddr(dev, &fl4);
>  	pip->protocol = IPPROTO_IGMP;
>  	pip->tot_len  = 0;	/* filled in later */
>  	ip_select_ident(net, skb, NULL);

Ok, and I checked that MC source address validation on the receiver
will pass because:

	if (ipv4_is_zeronet(saddr)) {
		if (!ipv4_is_local_multicast(daddr))
			return -EINVAL;

that check in ip_mc_validate_source() won't trigger.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ