| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 May 2018 11:08:41 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: grygorii.strashko@...com
Cc: netdev@...r.kernel.org, nsekhar@...com,
linux-kernel@...r.kernel.org, linux-omap@...r.kernel.org
Subject: Re: [PATCH] net: ethernet: ti: cpsw: fix packet leaking in
dual_mac mode
From: Grygorii Strashko <grygorii.strashko@...com>
Date: Tue, 1 May 2018 12:41:22 -0500
> In dual_mac mode packets arrived on one port should not be forwarded by
> switch hw to another port. Only Linux Host can forward packets between
> ports. The below test case (reported in [1]) shows that packet arrived on
> one port can be leaked to anoter (reproducible with dual port evms):
> - connect port 1 (eth0) to linux Host 0 and run tcpdump or Wireshark
> - connect port 2 (eth1) to linux Host 1 with vlan 1 configured
> - ping <IPx> from Host 1 through vlan 1 interface.
> ARP packets will be seen on Host 0.
>
> Issue happens because dual_mac mode is implemnted using two vlans: 1 (Port
> 1+Port 0) and 2 (Port 2+Port 0), so there are vlan records created for for
> each vlan. By default, the ALE will find valid vlan record in its table
> when vlan 1 tagged packet arrived on Port 2 and so forwards packet to all
> ports which are vlan 1 members (like Port.
>
> To avoid such behaviorr the ALE VLAN ID Ingress Check need to be enabled
> for each external CPSW port (ALE_PORTCTLn.VID_INGRESS_CHECK) so ALE will
> drop ingress packets if Rx port is not VLAN member.
>
> Signed-off-by: Grygorii Strashko <grygorii.strashko@...com>
Applied and queued up for -stable, thank you.
Powered by blists - more mailing lists