lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120217101648.01f31fcd@nehalam.linuxnetplumber.net>
Date:	Fri, 17 Feb 2012 10:16:48 -0800
From:	Stephen Hemminger <shemminger@...tta.com>
To:	Eric Dumazet <eric.dumazet@...il.com>,
	Pablo Neira Ayuso <pablo@...filter.org>,
	Patrick McHardy <kaber@...sh.net>
Cc:	Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
	netdev@...r.kernel.org, davem@...emloft.net,
	netfilter-devel@...r.kernel.org
Subject: [RFT] nf_contrack_udp: handle packets with padding and hwchecksum

If UDP packet with extra padding is received on a device that
does hardware checksumming (but not checking) is processed
by netfilter conntrack, it would generate a bogus warning
about the checksum being incorrect.

There were two possible solutions. The netfilter conntrack
code could trim the packet, discarding the extra padding
and adjusting the checksum. Or it can force regular
non-offloaded checksum. This patch implements the latter
on the principal that is better for firewall code to not
modify the packet.

Compile tested only; haven't been able to reproduce the
problem yet.

Signed-off-by: Stephen Hemminger <shemminger@...tta.com>

---
Patch against -net tree, after review/test it should go
to stable as well.

--- a/net/netfilter/nf_conntrack_proto_udp.c	2012-01-10 10:57:00.407196614 -0800
+++ b/net/netfilter/nf_conntrack_proto_udp.c	2012-02-17 10:06:18.038472559 -0800
@@ -125,12 +125,17 @@ static int udp_error(struct net *net, st
 	 * We skip checking packets on the outgoing path
 	 * because the checksum is assumed to be correct.
 	 * FIXME: Source route IP option packets --RR */
-	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
-	    nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {
-		if (LOG_INVALID(net, IPPROTO_UDP))
-			nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
-				"nf_ct_udp: bad UDP checksum ");
-		return -NF_ACCEPT;
+	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING) {
+		/* Special case for hardware checksum offload with padding */
+		if (skb->ip_summed == CHECKSUM_COMPLETE && udplen > ntohs(hdr->len))
+			skb->ip_summed = CHECKSUM_NONE;
+
+		if (nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {
+			if (LOG_INVALID(net, IPPROTO_UDP))
+				nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+					      "nf_ct_udp: bad UDP checksum ");
+			return -NF_ACCEPT;
+		}
 	}
 
 	return NF_ACCEPT;
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ