lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20130113044513.GA26457@linuxace.com>
Date:	Sat, 12 Jan 2013 20:45:13 -0800
From:	Phil Oester <kernel@...uxace.com>
To:	netdev@...r.kernel.org
Subject: Regression in 3.6+: fib_validate_source breakage

In commit 7a9bc9b81a (Elide fib_validate_source() completely when possible) it
was stated:

    If rpfilter is off (or the SKB has an IPSEC path) and there are not
    tclassid users, we don't have to do anything at all when
    fib_validate_source() is invoked besides setting the itag to zero.

However, this change was later proven to break redirects, fixed in commit
e81da0e113 (ipv4: fix sending of redirects).  

In addition to this breakage, it also bypassed another necessary check, as
clearly stated in the preamble comment to fib_validate_source:

    * - (main) check, that source is valid i.e. not broadcast or our local
    *   address.

Without this check (and if rp_filter is NOT enabled), packets with local source
addresses are accepted by the stack.  This only came to light due to a buggy
switch which is occasionally reflecting packets back at a box running a VRRP 
daemon, causing the local box to believe it has seen a higher priority
advertisement, when in reality it is only seeing a copy of its own advertisement.
Prior to 3.6, these packets would be silently dropped.

Also, not that I use it, but accept_local handling appears to now be broken.

I realize the original change likely made the route cache removal more palatable,
but given the number of issues it has caused, perhaps a revert is in order?
I can't find any easy alternative fix.

Phil Oester

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ