lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1458576760.4542.45.camel@redhat.com>
Date:	Mon, 21 Mar 2016 17:12:40 +0100
From:	Paolo Abeni <pabeni@...hat.com>
To:	David Miller <davem@...emloft.net>
Cc:	netdev@...r.kernel.org, kuznet@....inr.ac.ru,
	sbohrer@...advisors.com, hannes@...essinduktion.org
Subject: Re: [PATCH net] ipv4: fix broadcast packets reception

On Mon, 2016-03-21 at 11:50 -0400, David Miller wrote:
> From: Paolo Abeni <pabeni@...hat.com>
> Date: Mon, 21 Mar 2016 16:42:11 +0100
> 
> > Currently, ingress ipv4 broadcast datagrams are dropped if the
> > ingress interface lacks an ipv4 address. This is caused by
> > multiple issues:
> > 
> > - in udp_v4_early_demux() ip_check_mc_rcu is invoked even on
> >   bcast packets
> > 
> > - ip_route_input_slow() always try to validate the source
> > 
> > This patch tries to address both issues, invoking ip_check_mc_rcu()
> > only for mcast packets and calling fib_validate_source() only
> > if the in_device has an address, at least.
> > 
> > Fixes: 6e5403093261 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
> > Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> 
> I'm extremely weary to change the routing lookup code wrt. broadcast, multicast,
> etc. policies, ever.  The checks in there have multiple decades of precedence
> and therefore are extremely dangerous to modify.
> 
> The UDP change in question didn't touch the generic routing code, therfore you
> must fix this bug without modifying it either.

ok, I'll try to find something less intrusive. I'm not sure if it will
be possible.

Just a little addendum: the current issue is not caused only by the
commit 6e5403093261, but also by some less trivial/older change into the
routing lookup code I was unable to track exactly.

Cheers,

Paolo 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ