lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20131108.144915.635810300359291522.davem@davemloft.net>
Date:	Fri, 08 Nov 2013 14:49:15 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	jiri@...nulli.us
Cc:	netdev@...r.kernel.org, pablo@...filter.org,
	netfilter-devel@...r.kernel.org, yoshfuji@...ux-ipv6.org,
	kadlec@...ckhole.kfki.hu, kaber@...sh.net, mleitner@...hat.com,
	kuznet@....inr.ac.ru, jmorris@...ei.org, wensong@...ux-vs.org,
	horms@...ge.net.au, ja@....bg, edumazet@...gle.com,
	pshelar@...ira.com, jasowang@...hat.com,
	alexander.h.duyck@...el.com, fw@...len.de
Subject: Re: [patch net-next 1/2] ip6_output: fragment outgoing reassembled
 skb properly

From: Jiri Pirko <jiri@...nulli.us>
Date: Fri, 8 Nov 2013 08:52:01 +0100

> Fri, Nov 08, 2013 at 12:54:53AM CET, davem@...emloft.net wrote:
>>From: Jiri Pirko <jiri@...nulli.us>
>>Date: Wed,  6 Nov 2013 17:52:19 +0100
>>
>>> If reassembled packet would fit into outdev MTU, it is not fragmented
>>> according the original frag size and it is send as single big packet.
>>> 
>>> The second case is if skb is gso. In that case fragmentation does not happen
>>> according to the original frag size.
>>> 
>>> This patch fixes these.
>>> 
>>> Signed-off-by: Jiri Pirko <jiri@...nulli.us>
>> ...
>>
>>>  	if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
>>> -	    dst_allfrag(skb_dst(skb)))
>>> +	    dst_allfrag(skb_dst(skb)) ||
>>> +	    (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))
>>>  		return ip6_fragment(skb, ip6_finish_output2);
>>
>>Jiri are you sure that you don't need to take GSO into account in the
>>new part you are adding to the test?
> 
> 
> For gso skb, we need co cap outgoing fragments by the original frag size
> as well. So I believe that this code is correct for that case as well.

I'm still not so sure I agree, even after having taken a second look
at this.

Look at ipv4's logic for this same facility:

		if (skb->len > ip_skb_dst_mtu(skb) && !skb_is_gso(skb))
			return ip_fragment(skb, ip_finish_output2);

Strictly, we only call ip_fragment() if skb_is_gso() is false.  And then
in ip_fragment():

	if (unlikely(((iph->frag_off & htons(IP_DF)) && !skb->local_df) ||
		     (IPCB(skb)->frag_max_size &&
		      IPCB(skb)->frag_max_size > dst_mtu(&rt->dst)))) {

And that second branch of this test is what you're trying to duplicate
into ipv6.

Perhaps I don't understand completely the intentions and logic of
dst_allfrag() in the ipv6 case, and maybe you can explain it to me.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ