lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190218155745.GU10616@sasha-vm>
Date:   Mon, 18 Feb 2019 10:57:45 -0500
From:   Sasha Levin <sashal@...nel.org>
To:     David Miller <davem@...emloft.net>
Cc:     nicolas.dichtel@...nd.com, netdev@...r.kernel.org,
        willemb@...gle.com, maximmi@...lanox.com
Subject: Re: [PATCH net v2] af_packet: fix raw sockets over 6in4 tunnel

On Thu, Jan 17, 2019 at 03:55:27PM -0800, David Miller wrote:
>From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
>Date: Thu, 17 Jan 2019 11:27:22 +0100
>
>> Since commit cb9f1b783850, scapy (which uses an AF_PACKET socket in
>> SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel:
>>
>> Here is a example of the setup:
>> $ ip link set ntfp2 up
>> $ ip addr add 10.125.0.1/24 dev ntfp2
>> $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2
>> $ ip addr add fd00:cafe:cafe::1/128 dev tun1
>> $ ip link set dev tun1 up
>> $ ip route add fd00:200::/64 dev tun1
>> $ scapy
>>>>> p = []
>>>>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest()
>>>>> send(p, count=1, inter=0.1)
>>>>> quit()
>> $ ip -s link ls dev tun1 | grep -A1 "TX.*errors"
>>     TX: bytes  packets  errors  dropped carrier collsns
>>     0          0        1       0       0       0
>>
>> The problem is that the network offset is set to the hard_header_len of the
>> output device (tun1, ie 14 + 20) and in our case, because the packet is
>> small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes
>> (ipv6 header) starting from the network offset).
>>
>> This problem is more generally related to device with variable hard header
>> length. To avoid a too intrusive patch in the current release, a (ugly)
>> workaround is proposed in this patch. It has to be cleaned up in net-next.
>>
>> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1
>> Link: http://patchwork.ozlabs.org/patch/1024489/
>> Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit")
>> CC: Willem de Bruijn <willemb@...gle.com>
>> CC: Maxim Mikityanskiy <maximmi@...lanox.com>
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
>> ---
>>
>> v1 -> v2:
>>   reset nh offset only for small packets sent on a variable hard hdr len device
>
>Applied.

Should this go to -stable as well? The patch it fixes is in 4.20.

--
Thanks,
Sasha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ