lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAF=yD-Lm85ZJf9VOkss5cUqFmCKsDRCKxKopyv9_=yaAtuq8QQ@mail.gmail.com>
Date:   Thu, 17 Jan 2019 10:09:37 -0500
From:   Willem de Bruijn <willemdebruijn.kernel@...il.com>
To:     Nicolas Dichtel <nicolas.dichtel@...nd.com>
Cc:     David Miller <davem@...emloft.net>,
        Network Development <netdev@...r.kernel.org>,
        Willem de Bruijn <willemb@...gle.com>,
        Maxim Mikityanskiy <maximmi@...lanox.com>
Subject: Re: [PATCH net v2] af_packet: fix raw sockets over 6in4 tunnel

On Thu, Jan 17, 2019 at 5:29 AM Nicolas Dichtel
<nicolas.dichtel@...nd.com> wrote:
>
> Since commit cb9f1b783850, scapy (which uses an AF_PACKET socket in
> SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel:
>
> Here is a example of the setup:
> $ ip link set ntfp2 up
> $ ip addr add 10.125.0.1/24 dev ntfp2
> $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2
> $ ip addr add fd00:cafe:cafe::1/128 dev tun1
> $ ip link set dev tun1 up
> $ ip route add fd00:200::/64 dev tun1
> $ scapy
> >>> p = []
> >>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest()
> >>> send(p, count=1, inter=0.1)
> >>> quit()
> $ ip -s link ls dev tun1 | grep -A1 "TX.*errors"
>     TX: bytes  packets  errors  dropped carrier collsns
>     0          0        1       0       0       0
>
> The problem is that the network offset is set to the hard_header_len of the
> output device (tun1, ie 14 + 20) and in our case, because the packet is
> small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes
> (ipv6 header) starting from the network offset).
>
> This problem is more generally related to device with variable hard header
> length. To avoid a too intrusive patch in the current release, a (ugly)
> workaround is proposed in this patch. It has to be cleaned up in net-next.
>
> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1
> Link: http://patchwork.ozlabs.org/patch/1024489/
> Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit")
> CC: Willem de Bruijn <willemb@...gle.com>
> CC: Maxim Mikityanskiy <maximmi@...lanox.com>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>

Acked-by: Willem de Bruijn <willemb@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ