| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 May 2014 15:48:57 -0700 (PDT) From: David Miller <davem@...emloft.net> To: makita.toshiaki@....ntt.co.jp Cc: stephen@...workplumber.org, vyasevic@...hat.com, netdev@...r.kernel.org, bridge@...ts.linux-foundation.org Subject: Re: [PATCH net] bridge: Prevent insertion of FDB entry with disallowed vlan From: Toshiaki Makita <makita.toshiaki@....ntt.co.jp> Date: Mon, 26 May 2014 15:15:53 +0900 > br_handle_local_finish() is allowing us to insert an FDB entry with > disallowed vlan. For example, when port 1 and 2 are communicating in > vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can > interfere with their communication by spoofed src mac address with > vlan id 10. > > Note: Even if it is judged that a frame should not be learned, it should > not be dropped because it is destined for not forwarding layer but higher > layer. See IEEE 802.1Q-2011 8.13.10. > > Signed-off-by: Toshiaki Makita <makita.toshiaki@....ntt.co.jp> In reference to Vlad's suggestion to try to reuse the logic of the existing br_allowed_ingress() function, I don't think that's so easy. As stated already, it drops packets whilst we don't want that here. Another difference is that it does vlan_untag(), which we also do not want here. Let's just stay with this version of the fix, Vlad if you're OK with that can you please give your ACK? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists