lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 17 Apr 2008 13:11:49 +0300
From:	"Rami Rosen" <roszenrami@...il.com>
To:	"Ian Brown" <ianbrn@...il.com>
Cc:	"Brian Haley" <brian.haley@...com>,
	"YOSHIFUJI Hideaki / 吉藤英明" 
	<yoshfuji@...ux-ipv6.org>, netdev@...r.kernel.org
Subject: Re: Why MLDv2 Report packet is freed ?

Hi,

What happens here is this:

>Second, when MLDV2 report reaches ip6_mc_input(),
>the ICMPv6 header has a type of ICMPV6_MLD2_REPORT; and it is a router
>alert. This causes a call to ip6_input() and **not** ip6_mr_input().
>This cause it to be handled by the ICMPv6 handler, which is icmpv6_rcv().
>I am absolutely sure about it, as I added some printk() in these
kernel methods.
>I see that I reach the icmpv6_rcv() and the packet is dropped.

All this is correct. But **before** it reaches the icmpv6_rcv(), what
happens is this:
The ip6_input() method calls ip6_input_finish(), which calls
raw6_local_deliver(). The skb is cloned in ipv6_raw_deliver().
Eventually, rawv6_rcv_skb() delivers the packet to
user space by calling sock_queue_rcv_skb(). (see net/ipv6/raw.c).
Subsequently, it continues to icmpv6_rcv() and frees the packet since its
type is ICMPV6_MLD2_REPORT.



>The sock_queue_rcv_skb() method in p6mr_cache_report() is NOT called
>in this case -
>simply because we don't get there, since ip6_mc_input() in this case

True. The packet is passed to the pim6sd user space daemon by the
rawv6_rcv_skb()
, as mentioned above.
In this implementation, the sock_queue_rcv_skb() in p6mr_cache_report()
is not for MLDv2 REPORT messages, but for other type of messages.

Regards,
Rami Rosen





On Thu, Apr 17, 2008 at 8:49 AM, Ian Brown <ianbrn@...il.com> wrote:
> Hello,
>
>  First, I have multicast routing enabled:
>  /proc/sys/net/ipv6/conf/*/mc_forwarding is 1 and
>  CONFIG_IPV6_MROUTE=y when building the kernel.
>
>  Second, when MLDV2 report reaches ip6_mc_input(),
>  the ICMPv6 header has a type of ICMPV6_MLD2_REPORT; and it is a router
>  alert. This causes a call to ip6_input() and **not** ip6_mr_input().
>  This casue it to be handled by the ICMPv6 handler, which is icmpv6_rcv().
>  I am absolutely sure about it, as I added some printk() in these kernel methods.
>  I see that I reach the icmpv6_rcv() and the packet is dropped.
>  The sock_queue_rcv_skb() method in p6mr_cache_report() is NOT called
>  in this case -
>  simply because we don't get there, since ip6_mc_input() in this case
>  does **not**
>  call ip6_mr_input() ; it does call ip6_mr_input() in other cases.
>
>  Moreover, I added printing in the accept_mld6() method of the pim6sd
>  daemon, which is the
>  handler for these packets, and I do not get there.
>
>  Could it be that this is a bug ?
>
>  Any ideas ?
>
>  IB
>
>
>
>
>
>
>
>  On Wed, Apr 16, 2008 at 9:02 PM, Brian Haley <brian.haley@...com> wrote:
>  > Ian Brown wrote:
>  >  > Hello,
>  >  >
>  >  > I am sorry, I tried to delve into the code and I not sure I can figure out this
>  >  > point.
>  >  >> MLD packets are handled in other place.
>  >  >
>  >  > Can anybody please try to elaborate on this point: how
>  >  > are MLD packets handled ? Shouldn't MLD packets be
>  >  > handled by pim6sd daemon?
>  >
>  >  Yes.
>  >
>  >
>  >  > I see handlers for accepting MLD (v1 and v2)
>  >  > in pim6sd daemon;
>  >  > And in case MLD packets  should be handled by pim6sd  - shouldn't the kernel
>  >  > pass these MLD packets to the pim6sd daemon (by calling sock_queue_rcv_skb()
>  >  > in ip6mr.c) ? As far as I can understand, these MLD packets are
>  >  > dropped in icmpv6_rcv()
>  >
>  >  From what I can tell, ip6_mc_input() makes a copy if multicast routing
>  >  is enabled.  Those copies eventually get to ip6mr_cache_report() which
>  >  delivers them to user-space (there's even a reference to pim6sd in
>  >  net/ipv6/ip6mr.c).
>  >
>  >  Have you seen them not get delivered?
>  >
>  >  -Brian
>  >
>  --
>  To unsubscribe from this list: send the line "unsubscribe netdev" in
>  the body of a message to majordomo@...r.kernel.org
>  More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists