lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 18 Mar 2019 00:59:59 +0100
From:   Bram Yvahk <bram-yvahk@...l.wizbit.be>
To:     netdev@...r.kernel.org
CC:     steffen.klassert@...unet.com, herbert@...dor.apana.org.au,
        davem@...emloft.net
Subject: [ipsec/xfrmi] fragmentation of IPv4 packets

After running into some issues with VTI code (see my VTI patches) I
decided to take a peek at the xfrmi code.  I believe it has the same
problems as the VTI code for which I submitted patches.

I was planning on testing this with latest kernel but so far I've not
yet been able to do so... Only reason why I'm already submitting this
message is because there is a 'Linux IPsec workshop' next week.

Two issues that I believe exist:

- 'xfrmi_xmit2': for an IPv4 packet the DF bit is not checked --> it
  will send a 'ICMP_FRAG_NEEDED' in response to a packet that is too
  big but does not have the 'DF' bit set. I believe proper behavior
  is to fragment the packet
 
  See also: [PATCH ipsec/vti 1/2] vti: fragment IPv4 packets when DF bit
is not
 
- 'xfrmi6_err': this is not able to handle a ICMPv6 in response to a
  fragmented IPv6 ESP packet. It uses iph->nexthdr which will be set
  to 'NEXTHDR_FRAGMENT' which is unhand led in the code.
  (It expects IPPROTO_ESP/_AH/_COMP)

  See also: [PATCH ipsec/vti 2/2] vti6: process icmp msg when IPv6 is
fragmented

Powered by blists - more mailing lists