lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 6 Jan 2014 13:53:49 -0800 (PST)
From:	François-Xavier Le Bail <fx.lebail@...oo.com>
To:	hannes@...essinduktion.org, David Miller <davem@...emloft.net>
Cc:	netdev@...r.kernel.org, kuznet@....inr.ac.ru, jmorris@...ei.org,
	yoshfuji@...ux-ipv6.org, kaber@...sh.net
Subject: Re: [PATCH net-next v4] IPv6: use anycast addresses as source addresses in echo reply

On Mon, 1/6/14, David Miller <davem@...emloft.net> wrote:

> From: Hannes Frederic Sowa <hannes@...essinduktion.org>
> Date: Mon, 6 Jan 2014 00:05:05 +0100

>> On Fri, Jan 03, 2014 at 05:43:31PM +0100, Francois-Xavier Le Bail wrote:
>>> diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
>>> index 5d42009..65c8619 100644
>>> --- a/net/ipv6/icmp.c
>>> +++ b/net/ipv6/icmp.c
>>> @@ -556,7 +556,9 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
>>>  
>>>      saddr = &ipv6_hdr(skb)->daddr;
>>>  
>>> -    if (!ipv6_unicast_destination(skb))
>>> +    if (!ipv6_unicast_destination(skb) &&
>>> +        !(net->ipv6.anycast_src_echo_reply &&
>>> +          ipv6_chk_acast_addr(net, NULL, saddr)))
>>>          saddr = NULL;
>> 
>> I am not sure why you left out the device at ipv6_chk_acast_addr?
>> 
>> IMHO this logic is a bit more complex, we can pass NULL for ipv6 addresses of
>> scope global but need to check the interface for scope link.
>> 
>> It is already possible via setsockopt JOIN_ANYCAST that an ll address is
>> anycast on another interface which may not be checked here.

> I think we should pass a valid device in unless it breaks something
> obvious.

The problem is that "saddr" is not necessarily an address on "skb->dev"
in icmpv6_echo_reply(). It may be an address on another interface.

If dev arg is NULL, ipv6_chk_acast_addr() searches all devices for "saddr", that what we need.

It works for global scope and link-local anycast address.

So passing a valid device to ipv6_chk_acast_addr() breaks the goal of the patch.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ