| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151222222921.GA30207@merlot> Date: Tue, 22 Dec 2015 22:29:22 +0000 From: Huw Davies <huw@...eweavers.com> To: Hannes Frederic Sowa <hannes@...essinduktion.org> Cc: netdev@...r.kernel.org, linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov, Paul Moore <pmoore@...hat.com> Subject: Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option. On Tue, Dec 22, 2015 at 10:47:43PM +0100, Hannes Frederic Sowa wrote: > On 22.12.2015 17:59, Huw Davies wrote: > > I'm confused about this one. AFAICS, this will drop packets that we > > can't process. We don't send the icmp error, but I can certainly add > > that. Is that what you mean? > > Actually, the implementation of calipso_validate will accept the packets > because it defaults to return true if we don't compile the module. At > least we should drop the packet if it is not loaded. I am in favor of > adding the parameter problem icmp error. So, yes, I think it should be > added. Yet the option value is 0x07, i.e. the two highest bits are both zero which according to: https://tools.ietf.org/html/rfc2460#section-4.2 means we should just skip it. https://tools.ietf.org/html/rfc5570#section-5.1.1 reaffirms that. In terms of sending an icmp on error while validating: https://tools.ietf.org/html/rfc5570#section-6.2.2 is pretty conservative in that case too. Most errors should just be silently dropped. Huw. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists