lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20160726.142538.311340107234321451.davem@davemloft.net> Date: Tue, 26 Jul 2016 14:25:38 -0700 (PDT) From: David Miller <davem@...emloft.net> To: hchunhui@...l.ustc.edu.cn Cc: dsa@...ulusnetworks.com, nicolas.dichtel@...nd.com, roopa@...ulusnetworks.com, rshearma@...cade.com, dbarroso@...tly.com, martinbj2008@...il.com, rick.jones2@...com, koct9i@...il.com, edumazet@...gle.com, tgraf@...g.ch, ebiederm@...ssion.com, yoshfuji@...ux-ipv6.org, ja@....bg, hannes@...essinduktion.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] net: neigh: disallow transition to NUD_STALE if lladdr is unchanged in neigh_update() From: Chunhui He <hchunhui@...l.ustc.edu.cn> Date: Tue, 26 Jul 2016 06:16:52 +0000 > NUD_STALE is used when the caller(e.g. arp_process()) can't guarantee > neighbour reachability. If the entry was NUD_VALID and lladdr is unchanged, > the entry state should not be changed. > > Currently the code puts an extra "NUD_CONNECTED" condition. So if old state > was NUD_DELAY or NUD_PROBE (they are NUD_VALID but not NUD_CONNECTED), the > state can be changed to NUD_STALE. > > This may cause problem. Because NUD_STALE lladdr doesn't guarantee > reachability, when we send traffic, the state will be changed to > NUD_DELAY. In normal case, if we get no confirmation (by dst_confirm()), > we will change the state to NUD_PROBE and send probe traffic. But now the > state may be reset to NUD_STALE again(e.g. by broadcast ARP packets), > so the probe traffic will not be sent. This situation may happen again and > again, and packets will be sent to an non-reachable lladdr forever. > > The fix is to remove the "NUD_CONNECTED" condition. After that the > "NEIGH_UPDATE_F_WEAK_OVERRIDE" condition (used by IPv6) in that branch will > be redundant, so remove it. > > This change may increase probe traffic, but it's essential since NUD_STALE > lladdr is unreliable. To ensure correctness, we prefer to resolve lladdr, > when we can't get confirmation, even while remote packets try to set > NUD_STALE state. > > Signed-off-by: Chunhui He <hchunhui@...l.ustc.edu.cn> Applied, thanks.
Powered by blists - more mailing lists