lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 10 Oct 2011 11:10:59 -0400
From:	Josh Boyer <jwboyer@...hat.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Joel Sing <jsing@...gle.com>, Julian Anastasov <ja@....bg>,
	netdev@...r.kernel.org, francis.souyri@...c.fr
Subject: Re: loopback IP alias breaks tftp?

On Fri, Oct 07, 2011 at 02:23:21PM +0200, Eric Dumazet wrote:
> Le vendredi 07 octobre 2011 à 14:04 +0200, Eric Dumazet a écrit :
> 
> > Its a completely different problem IMHO : You describe a tftp server
> > bug.
> > 
> > Say your tftp server is multihomed with 3 different IPS : 
> > 
> > 192.168.20.21, 192.168.20.22, 192.168.20.23
> > 
> > And tftp server listens to any address (UDP port 69) : 0.0.0.0:69
> > 
> > When receiving a request on 192.168.20.22, it should use same source
> > address, not let the system chose a "random or whatever policy" one.
> > 
> > 
> > 
> > So I would suggest to check/fix if TFTP server uses the correct socket
> > API to get both the client IP and its own IP in each UDP datagram
> > 
> > -> setsockopt(fd, IPPROTO_IP, &on, sizeof(on))
> 
> > This permits tftp server to use the same "struct in_pktinfo" for replies, forcing a correct source address.
> > 
> 
> By the way, there is no need for tftp change :
> 
> Just launch several tftpd instances, and bind each them to one
> particular IP.
> 
> If started from xinetd.d :
> 
> $ cat /etc/xinetd.d/tftp1
> service tftp
> {
> 	socket_type		= dgram
> 	protocol		= udp
> 	wait			= yes
> 	user			= root
> 	server			= /usr/sbin/in.tftpd
> 	server_args		= -s /tftpboot
> 	disable			= no
> 	bind		= 192.168.20.21
> 	per_source		= 11
> 	cps			= 100 2
> 	flags			= IPv4
> }

(I've CC'd the original bug reporter now.)

I did this locally and it still timed out.  So the bind alone is not
enough to fix the problem.  At least not on lo:0 127.0.0.2.

Changing the source address in the routing table as Joel suggested does
work around the problem.

So, in summary,  either the TFTP server needs to be changed per your
original suggestion, or the routing table needs to be altered for every
alias?  Is that correct?

josh
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ