| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Jul 2019 16:42:30 -0600
From: David Ahern <dsahern@...il.com>
To: Cong Wang <xiyou.wangcong@...il.com>, netdev@...r.kernel.org
Cc: Julian Anastasov <ja@....bg>
Subject: Re: [Patch net] fib: relax source validation check for loopback
packets
On 7/12/19 2:17 PM, Cong Wang wrote:
> diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
> index 317339cd7f03..8662a44a28f9 100644
> --- a/net/ipv4/fib_frontend.c
> +++ b/net/ipv4/fib_frontend.c
> @@ -388,6 +388,12 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
> fib_combine_itag(itag, &res);
>
> dev_match = fib_info_nh_uses_dev(res.fi, dev);
> + /* This is rare, loopback packets retain skb_dst so normally they
> + * would not even hit this slow path.
> + */
> + dev_match = dev_match || (res.type == RTN_LOCAL &&
> + dev == net->loopback_dev &&
The dev should not be needed. res.type == RTN_LOCAL should be enough, no?
> + IN_DEV_ACCEPT_LOCAL(idev));
Why is this check needed? Can you give an example use that is fixed -
and add one to selftests/net/fib_tests.sh?
> if (dev_match) {
> ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST;
> return ret;
>
Powered by blists - more mailing lists