lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 30 Mar 2014 20:12:53 +0800 (CST)
From:	"wei zhang" <asuka.com@....com>
To:	"Jesse Gross" <jesse@...ira.com>
Cc:	"David Miller" <davem@...emloft.net>,
	"dev@...nvswitch.org" <dev@...nvswitch.org>,
	netdev <netdev@...r.kernel.org>,
	"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] openvswitch: supply a dummy err_handler of
 gre_cisco_protocol to prevent kernel crash

At 2014-03-29 06:02:25,"Jesse Gross" <jesse@...ira.com> wrote:

>I'm not sure that rejecting all ICMP packets is the correct thing do
>here since it means that we could pass them onto a later caller even
>though they are intended for us. We should probably use the same logic
>as for receiving packets and just discard them here.

Thank you very much for your advice, did you mean this logic?  

diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index a3d6951..c183a56 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -110,6 +110,21 @@ static int gre_rcv(struct sk_buff *skb,
        return PACKET_RCVD;
 }
 
+/* Called with rcu_read_lock and BH disabled. */
+static int gre_err(struct sk_buff *skb, u32 info,
+                  const struct tnl_ptk_info *tpi)
+{
+       struct ovs_net *ovs_net;
+       struct vport *vport;
+
+       ovs_net = net_generic(dev_net(skb->dev), ovs_net_id);
+       vport = rcu_dereference(ovs_net->vport_net.gre_vport);
+       if (unlikely(!vport))
+               return PACKET_REJECT;
+       else
+               return PACKET_RCVD;
+}

Maybe I misunderstand something? I think if we discard all packet pass to us
when we use gre vport, new gre_cisco_protocol which has lower priority could
not see the packet intended to it.

I checked the implementation of the ipgre_err(), which has be called before
the err_handler of gre vport. It use the the (local address, remote address, key)
to distinguish the packet which is realy intended to it, although it could not 
always get the key from the icmp packet. Should we do as the same as it?
I'm not sure this is feasible, any advice is appreciate.

Regards,
Wei Zhang

Powered by blists - more mailing lists