| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Aug 2016 08:23:38 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: Neil Horman <nhorman@...driver.com>
Cc: Xin Long <lucien.xin@...il.com>,
network dev <netdev@...r.kernel.org>,
linux-sctp@...r.kernel.org, davem <davem@...emloft.net>,
Vlad Yasevich <vyasevich@...il.com>, daniel@...earbox.net
Subject: Re: [PATCH net 2/2] sctp: not copying duplicate addrs to the assoc's
bind address list
On Mon, Aug 22, 2016 at 10:25:38AM -0400, Neil Horman wrote:
> On Sat, Aug 20, 2016 at 02:41:01PM +0800, Xin Long wrote:
> > > Ah, I see what you're doing. Ok, this makes some sense, at least on the receive
> > > side, when you get a cookie unpacked and modify the remote peers address list,
> > > it makes sense to check for duplicates. On the local side however, I would,
> > > instead of checking it when the list gets copied, I'd check it when the master
> > > list gets updated (in the NETDEV_UP event notifier for the local address list,
> >
> > I was thinking about to check it in the NETDEV_UP, yes it can make the
> > master list has no duplicated addresses. But what if two same addresses
> > events come, and they come from different NICs (though I can't point out
> > the valid use case), then we filter there.
> >
I guess a valid use case would be the poor man's roaming between wifi
and ethernet with both mac addresses assigned to the same IP address, so
that you don't terminate your connections when moving from one to
another. This works quite well.
It could even be just a temporary config during setup. Like, a sysadmin
forgot to remove the address from a NIC before adding on the other one,
and then noticed it. For a while, the system would have the address
assigned to two interfaces.
> That I think would be a bug in the protocol code. For the ipv4 case, all
> addresses are owned by the system and the same addresses added to multiple
> interfaces should not be allowed. The same is true of ipv6 case. The only
> exception there is a link local address and that should still be unique within
> the context of an address/dev tuple.
>
Maybe it should not but there is nothing stopping you from doing so.
> > Later, sctp may receive one NETDEV_DOWN event,sctp will remove that
> > addr in the master list, but it shouldn't have been removed, as another local
> > NIC still has that addr.
> >
> > That's why I have to leave the master alone, just check when they are really
> > being bind to asoc addr list.
> >
Or add a refcnt to its members. </idea>
NETDEV_UP, it gets a ++ if it's already there
NETDEV_DOWN, it gets a -- and cleans it up if it reaches 0
And the rest probably could stay the same.
> > > and the sctp_add_bind_addr function for the endpoint address list). That way
> >
> > As to the endpoint address list, sctp has different process for binding
> > the address 'ANY' from assoc address list (note that this issue only
> > happened in binding the address 'ANY'). instead of copying the master
> > address list to the endpoint, it only adds address 'ANY' to the EP
> > address list. Only when starting a connection and create the assoc, it
> > copy the master address list to ASOC.
> >
> > So no need to do it in sctp_add_bind_addr for endpoint address list.
> > Besides, sctp_add_bind_addr is supposed to be called after checking
> > the duplicated address(I got it from sctp_do_bind()). :-)
> >
> > > you can keep that nested for loop out of the send path on the local system.
> > >
> > >
> >
>
Powered by blists - more mailing lists