lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Nov 2014 11:51:39 -0800 From: Joe Stringer <joestringer@...ira.com> To: Pravin Shelar <pshelar@...ira.com> Cc: "dev@...nvswitch.org" <dev@...nvswitch.org>, netdev <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: [ovs-dev] [PATCH net] openvswitch: Fix mask generation for IPv6 labels. On Wednesday, November 19, 2014 11:08:35 Pravin Shelar wrote: > On Wed, Nov 19, 2014 at 9:48 AM, Joe Stringer <joestringer@...ira.com> wrote: > > On Wednesday, November 19, 2014 00:11:01 Pravin Shelar wrote: > >> On Tue, Nov 18, 2014 at 11:25 PM, Joe Stringer <joestringer@...ira.com> > > > > wrote: > >> > On 18 November 2014 22:09, Pravin Shelar <pshelar@...ira.com> wrote: > >> >> On Tue, Nov 18, 2014 at 10:54 AM, Joe Stringer > >> >> <joestringer@...ira.com> > >> >> > >> >> wrote: > >> >> > When userspace doesn't provide a mask, OVS datapath generates a > >> >> > fully unwildcarded mask for the flow. This is done by taking a > >> >> > copy of the flow key, then iterating across its attributes, > >> >> > setting all values to 0xff. This works for most attributes, as the > >> >> > length of the netlink attribute typically matches the length of > >> >> > the value. However, IPv6 labels only use the lower 20 bits of the > >> >> > field. This patch makes a special case to handle this. > >> >> > > >> >> > This fixes the following error seen when installing IPv6 flows > >> >> > without a mask: > >> >> > > >> >> > openvswitch: netlink: Invalid IPv6 flow label value > >> >> > (value=ffffffff, max=fffff) > >> >> > >> >> We should allow exact match mask here rather than generating > >> >> wildcarded mask. So that ovs can catch invalid ipv6.label. > >> > > >> > I don't quite follow, I thought this was exact-match? (The existing > >> > function sets all bits to 1) > >> > >> With 0xffffffff value we can exact match on all ipv6.lable bits. > > > > The label field is only 20 bits. The other bits in the same word of the > > IPv6 header are for version (fixed) and traffic class (handled > > separately). We don't do anything with the other bits. > > This is just to make sure that we do not use those field for any thing > else. Masking those extra bits can hide incorrect ipv6 key extraction. Oh, I see. I meant something more like: ipv6_key->ipv6_label &= htonl(0xFFF00000); ipv6_key->ipv6_label |= htonl(0x000FFFFF); (Which would propagate the invalid bits from the flow key, but actually produce an exact match). -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists