| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jul 2016 07:52:29 +0000 (UTC) From: Chunhui He <hchunhui@...l.ustc.edu.cn> To: ja@....bg Cc: davem@...emloft.net, dsa@...ulusnetworks.com, nicolas.dichtel@...nd.com, roopa@...ulusnetworks.com, rshearma@...cade.com, dbarroso@...tly.com, martinbj2008@...il.com, rick.jones2@...com, koct9i@...il.com, edumazet@...gle.com, tgraf@...g.ch, ebiederm@...ssion.com, yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] net: neigh: disallow state transition DELAY->STALE in neigh_update() Hello, On Sat, 23 Jul 2016 22:09:43 +0300 (EEST), Julian Anastasov <ja@....bg> wrote: > > May be that is the problem: we receive such packet, > ip_route_input_noref detects that we allow such packet > from NEIGH_IP on this interface, tip is not RTN_LOCAL (no > ARP reply from us), tip is RTN_UNICAST but proxy_arp is not > allowed, so we continue and reach __neigh_lookup which finds > the existing cache entry because we talked to GW before that. > As this is an ARP request, neigh_update is called with NUD_STALE. > No reply is sent because request was not for us but we > just learned that NEIGH_IP is alive because it lookups > for someone else. This is common to observe with broadcasts, > GW lookups for other hosts and has to expose its IP+hwaddr. > More difficult to happen with unicast packets, you need hub, > not switch, to detect such packets. > > It is possible that you miss the packet that tries > to set NUD_STALE. May be you can add some printk's to catch > what kind of packet causes this. This can help too: > > tcpdump -lnnn -s0 arp and host GW_IP > > If you see such packet, that is it. Our cache is > updated with NUD_STALE. > >> So I'm not sure if it can learn from ARP reply. > > See above, received broadcast GARP reply can set > NUD_STALE. But the most trivial case of GW exposing its > IP while looking for other hosts should be the culprit. > It probably happens often, that is why we have no chance > to send ARP requests, GW is more ARP-active than us and > updates our cache and we are happy. > Thank you for your analysis. I think the same, except that I don't think GW can update our cache via broadcast ARP. Please the comment in arp_process(): > int state = NUD_REACHABLE; ... > /* Broadcast replies and request packets > do not assert neighbour reachability. > */ > if (arp->ar_op != htons(ARPOP_REPLY) || > skb->pkt_type != PACKET_HOST) > state = NUD_STALE; > neigh_update(n, sha, state, ... Broadcast packets do not assert reachability, so they should not interference our state machine. They are just a hint. Regards, Chunhui
Powered by blists - more mailing lists