| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Nov 2013 20:44:23 +0000 From: Ben Hutchings <bhutchings@...arflare.com> To: Alexander Duyck <alexander.h.duyck@...el.com> CC: <davem@...emloft.net>, <netdev@...r.kernel.org>, <edumazet@...gle.com>, <herbert@...dor.apana.org> Subject: Re: [PATCH] net: Do not include padding in TCP GRO checksum On Thu, 2013-11-14 at 17:18 -0800, Alexander Duyck wrote: > In some recent tests where I was generating invalid frames I found that > the checksum was being treated as valid for certain frames that computed > the checksum with padding included. On closer inspection I found the > issue was that GRO was using the skb->len instead of the length recorded in > the IP/IPv6 header to determine the number of bytes to checksum. As such > padded frames that actually had invalid checksums generated by adding the > padding to the checksum were being incorrectly tagged as valid. > > This change corrects that by using the tot_len from IPv4 headers and the > payload_len from IPv6 headers to compute the total number of bytes to be > included in the checksum. > > Signed-off-by: Alexander Duyck <alexander.h.duyck@...el.com> > --- > > I haven't had a chance to test this much yet and I am not that familiar > some of this GRO code so any review of this would be greatly appreciated. > I will try to get this tested by end-of-day tomorrow to verify it resolves > the issues I saw with invalid padded frames being marked as valid and > doesn't introduce any new issues. > > net/ipv4/tcp_offload.c | 13 ++++++++----- > net/ipv6/tcpv6_offload.c | 11 +++++++---- > 2 files changed, 15 insertions(+), 9 deletions(-) > > diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c > index a2b68a1..3dabb76 100644 > --- a/net/ipv4/tcp_offload.c > +++ b/net/ipv4/tcp_offload.c [...] > @@ -288,11 +291,11 @@ flush: > return NULL; > > case CHECKSUM_NONE: > - wsum = csum_tcpudp_nofold(iph->saddr, iph->daddr, > - skb_gro_len(skb), IPPROTO_TCP, 0); > + wsum = csum_tcpudp_nofold(iph->saddr, iph->daddr, length, > + IPPROTO_TCP, 0); > sum = csum_fold(skb_checksum(skb, > skb_gro_offset(skb), > - skb_gro_len(skb), > + length, length may also be > skb_gro_len() which makes this unsafe. > wsum)); > if (sum) > goto flush; > diff --git a/net/ipv6/tcpv6_offload.c b/net/ipv6/tcpv6_offload.c > index c1097c7..53fc71d 100644 > --- a/net/ipv6/tcpv6_offload.c > +++ b/net/ipv6/tcpv6_offload.c [...] > @@ -52,11 +56,10 @@ flush: > > case CHECKSUM_NONE: > wsum = ~csum_unfold(csum_ipv6_magic(&iph->saddr, &iph->daddr, > - skb_gro_len(skb), > - IPPROTO_TCP, 0)); > + length, IPPROTO_TCP, 0)); > sum = csum_fold(skb_checksum(skb, > skb_gro_offset(skb), > - skb_gro_len(skb), > + length, > wsum)); > if (sum) > goto flush; Same problem here. inet_gro_receive() and ipv6_gro_receive() already check whether the IP length field is consistent with skb_gro_len(), and set NAPI_GRO_CB(skb)->flush if it is not. I wonder whether it would make sense to skip calling the transport-layer gro_receive function in that case. Ben. -- Ben Hutchings, Staff Engineer, Solarflare Not speaking for my employer; that's the marketing department's job. They asked us to note that Solarflare product names are trademarked. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists