lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 23 Mar 2014 16:43:52 +0200
From:	Or Gerlitz <or.gerlitz@...il.com>
To:	Mike Rapoport <mike.rapoport@...ellosystems.com>
Cc:	David Stevens <dlstevens@...ibm.com>,
	David Miller <davem@...emloft.net>,
	netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net] net: vxlan: fix crash when interface is created with
 no group

On Sun, Mar 23, 2014 at 11:27 AM, Mike Rapoport
<mike.rapoport@...ellosystems.com> wrote:

> I believe I've groked what's going on in vxlan_udp_encap_recv and
> vxlan_rcv. There are actually two unrelated problems:
>
> 1) When the vxlan is configured with IPv4 group it crashes when it
> starts to receive IPv6 IGMP packets encapsulated into IPv4 vxlan
> packets. This happens because when ipv6_rcv handles the inner packet,
> the skb->dst still refernces outer IPv4 info. The very old vxlan code
> had skb_dst_drop call in vxlan_udp_encap_recv, which was removed when
> vxlan was refactored to use iptunnel_pull_header (commit
> 7ce04758279514ca1d8ebfe322508a4a430fe2c8: "vxlan: Restructure vxlan
> receive"). The iptunnel_pull_header called skb_dst_drop until recent
> commit 10ddceb22bab11dab10ba645c7df2e4a8e7a5db5 ("ip_tunnel:multicast
> process cause panic due to skb->_skb_refdst NULL pointer").
> The simplest fix, I think, would be to restore call to skb_dst_drop in
> vxlan_udp_encap_recv.

Yep, following Mike's suggestion, adding the below call allows things to work,
where trying vxlan without OVS, e.g using

$ ip link add vxlan42 type vxlan id 42 group 239.0.0.42 ttl 10 dev ethN

$ ifconfig vxlan42 192.168.42.54/24 up

over the net tree with 3.14-rc6 and beyond crashes instantly on node A
when node B is
taken up and starts sending, so commit 10ddceb22b indeed introduced a
regression.

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index a7eb3f2..22d7484 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1150,6 +1150,8 @@ static int vxlan_udp_encap_recv(struct sock *sk,
struct sk_buff *skb)
        if (iptunnel_pull_header(skb, VXLAN_HLEN, htons(ETH_P_TEB)))
                goto drop;

+       skb_dst_drop(skb);
+
        port = inet_sk(sk)->inet_sport;

        vs = rcu_dereference_sk_user_data(sk);
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists