lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190910150343.GC21550@linux.home>
Date:   Tue, 10 Sep 2019 17:03:43 +0200
From:   Guillaume Nault <gnault@...hat.com>
To:     Stefano Brivio <sbrivio@...hat.com>
Cc:     David Miller <davem@...emloft.net>, Julian Anastasov <ja@....bg>,
        Nicolas Dichtel <nicolas.dichtel@...nd.com>,
        David Ahern <dsahern@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] ipv6: Don't use dst gateway directly in
 ip6_confirm_neigh()

On Mon, Sep 09, 2019 at 10:44:06PM +0200, Stefano Brivio wrote:
> This is the equivalent of commit 2c6b55f45d53 ("ipv6: fix neighbour
> resolution with raw socket") for ip6_confirm_neigh(): we can send a
> packet with MSG_CONFIRM on a raw socket for a connected route, so the
> gateway would be :: here, and we should pick the next hop using
> rt6_nexthop() instead.
> 
> This was found by code review and, to the best of my knowledge, doesn't
> actually fix a practical issue: the destination address from the packet
> is not considered while confirming a neighbour, as ip6_confirm_neigh()
> calls choose_neigh_daddr() without passing the packet, so there are no
> similar issues as the one fixed by said commit.
> 
> A possible source of issues with the existing implementation might come
> from the fact that, if we have a cached dst, we won't consider it,
> while rt6_nexthop() takes care of that. I might just not be creative
> enough to find a practical problem here: the only way to affect this
> with cached routes is to have one coming from an ICMPv6 redirect, but
> if the next hop is a directly connected host, there should be no
> topology for which a redirect applies here, and tests with redirected
> routes show no differences for MSG_CONFIRM (and MSG_PROBE) packets on
> raw sockets destined to a directly connected host.
> 
> However, directly using the dst gateway here is not consistent anymore
> with neighbour resolution, and, in general, as we want the next hop,
> using rt6_nexthop() looks like the only sane way to fetch it.
> 
> Reported-by: Guillaume Nault <gnault@...hat.com>
> Signed-off-by: Stefano Brivio <sbrivio@...hat.com>
> ---
>  net/ipv6/route.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index 7a5d331cdefa..874641d4d2a1 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -227,7 +227,7 @@ static void ip6_confirm_neigh(const struct dst_entry *dst, const void *daddr)
>  	struct net_device *dev = dst->dev;
>  	struct rt6_info *rt = (struct rt6_info *)dst;
>  
> -	daddr = choose_neigh_daddr(&rt->rt6i_gateway, NULL, daddr);
> +	daddr = choose_neigh_daddr(rt6_nexthop(rt, &in6addr_any), NULL, daddr);
>  	if (!daddr)
>  		return;
>  	if (dev->flags & (IFF_NOARP | IFF_LOOPBACK))
> 
Acked-by: Guillaume Nault <gnault@...hat.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ