lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 17 Jan 2019 15:55:27 -0800 (PST)
From:   David Miller <davem@...emloft.net>
To:     nicolas.dichtel@...nd.com
Cc:     netdev@...r.kernel.org, willemb@...gle.com, maximmi@...lanox.com
Subject: Re: [PATCH net v2] af_packet: fix raw sockets over 6in4 tunnel

From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
Date: Thu, 17 Jan 2019 11:27:22 +0100

> Since commit cb9f1b783850, scapy (which uses an AF_PACKET socket in
> SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel:
> 
> Here is a example of the setup:
> $ ip link set ntfp2 up
> $ ip addr add 10.125.0.1/24 dev ntfp2
> $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2
> $ ip addr add fd00:cafe:cafe::1/128 dev tun1
> $ ip link set dev tun1 up
> $ ip route add fd00:200::/64 dev tun1
> $ scapy
>>>> p = []
>>>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest()
>>>> send(p, count=1, inter=0.1)
>>>> quit()
> $ ip -s link ls dev tun1 | grep -A1 "TX.*errors"
>     TX: bytes  packets  errors  dropped carrier collsns
>     0          0        1       0       0       0
> 
> The problem is that the network offset is set to the hard_header_len of the
> output device (tun1, ie 14 + 20) and in our case, because the packet is
> small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes
> (ipv6 header) starting from the network offset).
> 
> This problem is more generally related to device with variable hard header
> length. To avoid a too intrusive patch in the current release, a (ugly)
> workaround is proposed in this patch. It has to be cleaned up in net-next.
> 
> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1
> Link: http://patchwork.ozlabs.org/patch/1024489/
> Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit")
> CC: Willem de Bruijn <willemb@...gle.com>
> CC: Maxim Mikityanskiy <maximmi@...lanox.com>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
> ---
> 
> v1 -> v2:
>   reset nh offset only for small packets sent on a variable hard hdr len device

Applied.

Powered by blists - more mailing lists