lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 27 Jun 2011 20:55:44 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	ja@....bg
Cc:	mangoo@...g.org, eric.dumazet@...il.com, netdev@...r.kernel.org,
	bazsi@...abit.hu, hidden@...abit.hu
Subject: Re: what's causing "ip_rt_bug"?

From: Julian Anastasov <ja@....bg>
Date: Sat, 18 Jun 2011 20:53:59 +0300 (EEST)

> 	Hm, if it happens "sometimes", can it be some
> problem with tproxy and TIME_WAIT sockets? I see that
> tproxy_sk_is_transparent has special treatment for TW
> sockets while ip_route_me_harder is different. As result,
> may be input route is assigned for TW packets.
> 
> 	May be inet_sk_flowi_flags() needs fixing, not
> sure. But following patch is first step to fix this
> problem. I don't have setup to test this patch.

TPROXY has special code to make sure that time-wait sockets
are not assigned to skb->sk, as explained in commit
d503b30bd648b3cb4e5f50b65d27e389960cc6d9, that would cause
all kinds of crashes in nfnetlink_log etc.

Therefore we would see skb->sk==NULL at ip_route_me_harder()
in that case.

> ===========================================================
> 
> 	Avoid creating input routes with ip_route_me_harder.
> It does not work for locally generated packets. Instead,
> restrict sockets to provide valid saddr for output route (or
> unicast saddr for transparent proxy). For other traffic
> allow saddr to be unicast or local but if callers forget
> to check saddr type use 0 for the output route.
> 
> 	The resulting handling should be:
> 
> - REJECT TCP:
> 	- in INPUT we can provide addr_type = RTN_LOCAL but
> 	better allow rejecting traffic delivered with
> 	local route (no IP address => use RTN_UNSPEC to
> 	allow also RTN_UNICAST).
> 	- FORWARD: RTN_UNSPEC => allow RTN_LOCAL/RTN_UNICAST
> 	saddr, add fix to ignore RTN_BROADCAST and RTN_MULTICAST
> 	- OUTPUT: RTN_UNSPEC
> 
> - NAT, mangle, ip_queue, nf_ip_reroute: RTN_UNSPEC in LOCAL_OUT
> 
> - IPVS:
> 	- use RTN_LOCAL in LOCAL_OUT and FORWARD after SNAT
> 	to restrict saddr to be local
> 
> Signed-off-by: Julian Anastasov <ja@....bg>

Unless someone gives some negative feedback soon I'm going to
apply this.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ