lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Apr 2008 13:11:49 +0300 From: "Rami Rosen" <roszenrami@...il.com> To: "Ian Brown" <ianbrn@...il.com> Cc: "Brian Haley" <brian.haley@...com>, "YOSHIFUJI Hideaki / 吉藤英明" <yoshfuji@...ux-ipv6.org>, netdev@...r.kernel.org Subject: Re: Why MLDv2 Report packet is freed ? Hi, What happens here is this: >Second, when MLDV2 report reaches ip6_mc_input(), >the ICMPv6 header has a type of ICMPV6_MLD2_REPORT; and it is a router >alert. This causes a call to ip6_input() and **not** ip6_mr_input(). >This cause it to be handled by the ICMPv6 handler, which is icmpv6_rcv(). >I am absolutely sure about it, as I added some printk() in these kernel methods. >I see that I reach the icmpv6_rcv() and the packet is dropped. All this is correct. But **before** it reaches the icmpv6_rcv(), what happens is this: The ip6_input() method calls ip6_input_finish(), which calls raw6_local_deliver(). The skb is cloned in ipv6_raw_deliver(). Eventually, rawv6_rcv_skb() delivers the packet to user space by calling sock_queue_rcv_skb(). (see net/ipv6/raw.c). Subsequently, it continues to icmpv6_rcv() and frees the packet since its type is ICMPV6_MLD2_REPORT. >The sock_queue_rcv_skb() method in p6mr_cache_report() is NOT called >in this case - >simply because we don't get there, since ip6_mc_input() in this case True. The packet is passed to the pim6sd user space daemon by the rawv6_rcv_skb() , as mentioned above. In this implementation, the sock_queue_rcv_skb() in p6mr_cache_report() is not for MLDv2 REPORT messages, but for other type of messages. Regards, Rami Rosen On Thu, Apr 17, 2008 at 8:49 AM, Ian Brown <ianbrn@...il.com> wrote: > Hello, > > First, I have multicast routing enabled: > /proc/sys/net/ipv6/conf/*/mc_forwarding is 1 and > CONFIG_IPV6_MROUTE=y when building the kernel. > > Second, when MLDV2 report reaches ip6_mc_input(), > the ICMPv6 header has a type of ICMPV6_MLD2_REPORT; and it is a router > alert. This causes a call to ip6_input() and **not** ip6_mr_input(). > This casue it to be handled by the ICMPv6 handler, which is icmpv6_rcv(). > I am absolutely sure about it, as I added some printk() in these kernel methods. > I see that I reach the icmpv6_rcv() and the packet is dropped. > The sock_queue_rcv_skb() method in p6mr_cache_report() is NOT called > in this case - > simply because we don't get there, since ip6_mc_input() in this case > does **not** > call ip6_mr_input() ; it does call ip6_mr_input() in other cases. > > Moreover, I added printing in the accept_mld6() method of the pim6sd > daemon, which is the > handler for these packets, and I do not get there. > > Could it be that this is a bug ? > > Any ideas ? > > IB > > > > > > > > On Wed, Apr 16, 2008 at 9:02 PM, Brian Haley <brian.haley@...com> wrote: > > Ian Brown wrote: > > > Hello, > > > > > > I am sorry, I tried to delve into the code and I not sure I can figure out this > > > point. > > >> MLD packets are handled in other place. > > > > > > Can anybody please try to elaborate on this point: how > > > are MLD packets handled ? Shouldn't MLD packets be > > > handled by pim6sd daemon? > > > > Yes. > > > > > > > I see handlers for accepting MLD (v1 and v2) > > > in pim6sd daemon; > > > And in case MLD packets should be handled by pim6sd - shouldn't the kernel > > > pass these MLD packets to the pim6sd daemon (by calling sock_queue_rcv_skb() > > > in ip6mr.c) ? As far as I can understand, these MLD packets are > > > dropped in icmpv6_rcv() > > > > From what I can tell, ip6_mc_input() makes a copy if multicast routing > > is enabled. Those copies eventually get to ip6mr_cache_report() which > > delivers them to user-space (there's even a reference to pim6sd in > > net/ipv6/ip6mr.c). > > > > Have you seen them not get delivered? > > > > -Brian > > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists