lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1317990201.3207.15.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
Date:	Fri, 07 Oct 2011 14:23:21 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Josh Boyer <jwboyer@...hat.com>
Cc:	Joel Sing <jsing@...gle.com>, Julian Anastasov <ja@....bg>,
	netdev@...r.kernel.org
Subject: Re: loopback IP alias breaks tftp?

Le vendredi 07 octobre 2011 à 14:04 +0200, Eric Dumazet a écrit :

> Its a completely different problem IMHO : You describe a tftp server
> bug.
> 
> Say your tftp server is multihomed with 3 different IPS : 
> 
> 192.168.20.21, 192.168.20.22, 192.168.20.23
> 
> And tftp server listens to any address (UDP port 69) : 0.0.0.0:69
> 
> When receiving a request on 192.168.20.22, it should use same source
> address, not let the system chose a "random or whatever policy" one.
> 
> 
> 
> So I would suggest to check/fix if TFTP server uses the correct socket
> API to get both the client IP and its own IP in each UDP datagram
> 
> -> setsockopt(fd, IPPROTO_IP, &on, sizeof(on))

> This permits tftp server to use the same "struct in_pktinfo" for replies, forcing a correct source address.
> 

By the way, there is no need for tftp change :

Just launch several tftpd instances, and bind each them to one
particular IP.

If started from xinetd.d :

$ cat /etc/xinetd.d/tftp1
service tftp
{
	socket_type		= dgram
	protocol		= udp
	wait			= yes
	user			= root
	server			= /usr/sbin/in.tftpd
	server_args		= -s /tftpboot
	disable			= no
	bind		= 192.168.20.21
	per_source		= 11
	cps			= 100 2
	flags			= IPv4
}

$ cat /etc/xinetd.d/tftp2
service tftp
{
	socket_type		= dgram
	protocol		= udp
	wait			= yes
	user			= root
	server			= /usr/sbin/in.tftpd
	server_args		= -s /tftpboot
	disable			= no
	bind		= 192.168.20.22
	per_source		= 11
	cps			= 100 2
	flags			= IPv4
}

$ cat /etc/xinetd.d/tftp3
service tftp
{
	socket_type		= dgram
	protocol		= udp
	wait			= yes
	user			= root
	server			= /usr/sbin/in.tftpd
	server_args		= -s /tftpboot
	disable			= no
	bind		= 192.168.20.23
	per_source		= 11
	cps			= 100 2
	flags			= IPv4
}






--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ