lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 3 Jun 2008 15:03:48 +0200 (CEST)
From:	Krzysztof Oledzki <olel@....pl>
To:	Patrick McHardy <kaber@...sh.net>
cc:	Jarek Poplawski <jarkao2@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH]  Fix routing tables with id > 255 for legacy software



On Tue, 3 Jun 2008, Patrick McHardy wrote:

> Jarek Poplawski wrote:
>> On Tue, Jun 03, 2008 at 12:37:35PM +0200, Krzysztof Oledzki wrote:
>>> 
>> If such an old app uses rtm_table, this 253 table could be used for
>> something and get additional entries after this patch. Another case
>> would be when such an overflow on 0xff is "expected", then old tables
>> would loose their entries. I hope I'm wrong with this, but it looks
>> like admins can do strange things, and then this would be called a
>> regression. So, I think this patch is right if we are sure there are
>> no such cases...
>> 
>>>> BTW, I wonder, how these old appliction would treat RT_TABLE_UNSPEC 
>>>> instead.
>>> Such old appliction is for example zebra/quagga: it asks for all routes, 
>>> does not know about RTA_TABLE so uses rtm_table and selects all entries 
>>> with rtm_table == RT_TABLE_MAIN or zebrad.rtm_table_default which is 
>>> unfortunately 0 by default. So no, RT_TABLE_UNSPEC (0) does not help, even 
>>> makes everythink worse here.
>> 
>> I see: so we don't care for these RT_TABLE_COMPAT entries, let only
>> they don't go to _MAIN or _UNSPEC!
>
> Well, if people already use table 253, I guess they might care.

Not really as if pople use a FRA_TABLE aware application they should not 
notice any difference.

> I'm not convinced this is any better than overflowing.

But if they use FRA_TABLE unaware application than overflowing means 
mismatching all:
  - N*256 table as RT_TABLE_UNSPEC
  - N*256+253 tables as RT_TABLE_DEFAULT
  - N*256+254 tables as RT_TABLE_MAIN
  - N*256+255 tables as RT_TABLE_LOCAL

And as I just find out, when it happens is quite unexpected and can really 
hurt. :(

> And I still don't see any other way to handle this properly.

Exactly. So that's why I came with above solution, similar to AS_TRANSIT 
idea used in BGP to handle 16bit -> 32bit ASN transformation.

Best regards,

 				Krzysztof Olędzki

Powered by blists - more mailing lists