| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Mar 2016 12:01:31 +0100 From: Steffen Klassert <steffen.klassert@...unet.com> To: Jiri Bohac <jbohac@...e.cz> CC: Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, <netdev@...r.kernel.org> Subject: Re: [PATCH] xfrm: don't segment UFO packets On Thu, Mar 17, 2016 at 11:49:53AM +0100, Jiri Bohac wrote: > On Thu, Mar 17, 2016 at 11:24:59AM +0100, Steffen Klassert wrote: > > > > On Wed, Mar 16, 2016 at 05:00:26PM +0100, Jiri Bohac wrote: > > > Fixes my broken case. > > > > Is this IPv4 or IPv6? IPv4 should not create a GSO skb > > if IPsec is done. It checks for rt->dst.header_len > > in __ip_append_data() and does a fallback to the > > standard case if rt->dst.header_len is non zero. > > It's IPv6. > > > In IPv6 this check is missing, so this could be the > > problem if this is IPv6. > > Doesn't the check do exactly the opposite of what the RFC says? > The RFC wants ESP to be performed first and fragmentation after > that. UDPv4 currently seems to be doing the opposite. No, __ip_append_data() only prepares the packets for fragmentation and enqueues them. Then __ip_make_skb() dequeues and builds one skb with a fraglist. Then the xfrm layer is called, so esp linearizes (unfortunately) the skb and applies the transformation. Fragmentation happens after that.
Powered by blists - more mailing lists