lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 19 Jun 2019 18:50:39 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Stephen Suryaputra <ssuryaextr@...il.com>
Cc:     netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4
 options

On Tue, Jun 18, 2019 at 10:13:55AM -0400, Stephen Suryaputra wrote:
> On Tue, Jun 18, 2019 at 05:31:12PM +0200, Pablo Neira Ayuso wrote:
> > > +{
> > > +	unsigned char optbuf[sizeof(struct ip_options) + 41];
> > 
> > In other parts of the kernel this is + 40:
> > 
> > net/ipv4/cipso_ipv4.c:  unsigned char optbuf[sizeof(struct ip_options) + 40];
> > 
> > here it is + 41.
> >
> > ...
> >
> > > +	/* Copy the options since __ip_options_compile() modifies
> > > +	 * the options. Get one byte beyond the option for target < 0
> > 
> > How does this "one byte beyond the option" trick works?
> 
> I used ipv6_find_hdr() as a reference. There if target is set to less
> than 0, then the offset points to the byte beyond the extension header.
> In this function, it points to the byte beyond the option. I wanted to
> be as close as a working code as possible. Also, why +41 instead of +40.

OK. But this is never used in this new extension, priv->type is always
set. I mean, we already have a pointer to the transport header via
nft_pktinfo->xt.thoff.

> > > +		if (opt->end) {
> > > +			*offset = opt->end + start;
> > > +			target = IPOPT_END;
> > 
> > May I ask, what's the purpose of IPOPT_END? :-)
> 
> My understanding is that in ipv6_find_hdr() if the nexthdr is
> NEXTHDR_NONE, then that's the one being returned. The same here: target
> is the return value.

Code that falls under the default: case that deals with IPOPT_END is
never exercised, right?

priv->type is always set to >= 0, so the opt->end never happens.
Hence, we can remove the chunk in net/ipv4/ip_options.c.

> > Apart from the above, this looks good to me.
> 
> AOK for other comments. I can spin another version.

Please, do.

Thanks for explaining. I understand motivation is to mimic
ipv6_find_hdr() which is a good idea indeed... if this functions
becomes used away from the netfilter tree at some point that would be
a good pattern to extend it. However, so far - please correct me if
I'm mistaken - for the requirements of nft_exthdr to support IPv4
options, we don't seem to need it, so I would prefer to start with the
bare minimum code that nft_exthdr needs, if possible.

Thanks!

Powered by blists - more mailing lists