lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20190308163624.21175-1-andrew.boyer@dell.com>
Date:   Fri,  8 Mar 2019 11:36:24 -0500
From:   Andrew Boyer <andrew.boyer@...l.com>
To:     netdev@...r.kernel.org
Cc:     Farrell Woods <Farrell.Woods@...l.com>
Subject: [PATCH] net/ipv6: Skip policy check to improve compliance

From: Farrell Woods <farrell_woods@...l.com>

The patch fixes an IPv6 conformance test failure (v6LC_1_2_03a in the
UNH INTACT suite) that occurs specifically when IPsec is in use.  The
test iterates through the set of unassigned protocol numbers (currently,
143 through 252) and inserts these into the next header field of a
Destination Options header.  The expected test result is that an
ICMPv6 Parameter Problem is sent back.  But if there's a policy in
place that requires an active SA between the Test Node and the
Device Under Test (and none exists), the inbound packet is quietly
dropped.

Signed-off-by: Farrell Woods <farrell_woods@...l.com>
---
 net/ipv6/ip6_input.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index c7ed2b6..26259b3 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -409,12 +409,10 @@ void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
 		}
 	} else {
 		if (!raw) {
-			if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
-				__IP6_INC_STATS(net, idev,
-						IPSTATS_MIB_INUNKNOWNPROTOS);
-				icmpv6_send(skb, ICMPV6_PARAMPROB,
-					    ICMPV6_UNK_NEXTHDR, nhoff);
-			}
+			__IP6_INC_STATS(net, idev,
+					IPSTATS_MIB_INUNKNOWNPROTOS);
+			icmpv6_send(skb, ICMPV6_PARAMPROB,
+				    ICMPV6_UNK_NEXTHDR, nhoff);
 			kfree_skb(skb);
 		} else {
 			__IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS);

-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ