lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Wed, 22 Jan 2014 09:45:10 +1300
From:	"gregory hoggarth" <>
To:	<>
Cc:	<>
Subject: Kernel fails to drop packet with martian source address
 (subnet broadcast)


This is my second mail to the list about this issue, since I didn't get much of
a response for my first one.

Earlier in the year we upgraded the linux kernel on our L3 switch firmware to 
v3.6.2 which includes the "ipv4: Elidge fib_validate_source() completely when 
possible" patch. Our testers have picked up a change in behaviour which I have 
traced back to this patch and I'd like to get comments on whether this is a bug
or not. Here's the patch:

We found that in a configuration with a device under test (DUT) that has an IP 
address / 24, when it is sent an ICMP echo request with a source IP 
address of will now be accepted by the DUT, which will send an 
ICMP echo reply back to the address with a broadcast MAC address 
of FFFF.FFFF.FFFF, meaning any other devices in the L2 domain will pick up and 
process the ICMP reply.

Prior to the upgrade, our device was running on linux kernel, and in 
that version the DUT would reject the packet with a martian source address 
11:20:54 awplus kernel: RxPkt(00001) Q:1 dev:8 lport:00000a00 cpuC:154 encap:0 
len:98 bufs:1
11:20:54 awplus kernel: RxPkt(00001) vid:1 port2.0.23
11:20:54 awplus kernel: <7>   0000cd29 980d0000 cd27c1eb 08004500 
11:20:54 awplus kernel: <7>   00540000 40004001 b858c0a8 00ffc0a8 
11:20:54 awplus kernel: <7>   00010800 a4cf588c 000552dd c9990000 
11:20:54 awplus kernel: <7>   f3240809 0a0b0c0d 0e0f1011 12131415 
11:20:54 awplus kernel: <7>   (...)
11:20:54 awplus kernel: martian source from, on dev 
11:20:54 awplus kernel: ll header: 

Initially we were thinking that a device configured with / 23 
sending a ping to / 24 should expect to get a reply, even though 
this is somewhat of a misconfiguration in that the subnets aren't matching and 
that some things may not work properly. For example ping from a device with IP 
address would behave correctly, so it seemed correct that a ping 
from should also work properly. However it appears that some 
other part of the kernel is detecting that the echo reply packet sent by the 
DUT has a destination IP address of the subnet broadcast, so instead of sending 
it with a unicast MAC address it sends it with the broadcast MAC address, which 
means all other devices on the subnet would process the ICMP echo reply. This 
therefore makes it seem like the ICMP echo request should have been dropped in 
the first place.

The patch added the "if (!r && !fib_num_tclassid_users)" check to 
fib_validate_source, which for our devices evaluates to true, hence returning 
early and the source address check inside __fib_validate_source is not carried 

Does anyone have comments as to what the correct behaviour should be in this 
case, and whether this is an unexpected side-effect from the patch or not?


To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists