lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200106160635.2550c92f@hermes.lan>
Date:   Mon, 6 Jan 2020 16:06:35 -0800
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     Ttttabcd <ttttabcd@...tonmail.com>
Cc:     Netdev <netdev@...r.kernel.org>,
        David Miller <davem@...emloft.net>,
        "kuznet@....inr.ac.ru" <kuznet@....inr.ac.ru>,
        "yoshfuji@...ux-ipv6.org" <yoshfuji@...ux-ipv6.org>
Subject: Re: [PATCH] fragment: Improved handling of incorrect IP fragments

On Fri, 03 Jan 2020 00:44:30 +0000
Ttttabcd <ttttabcd@...tonmail.com> wrote:

> > You can not safely drop this check.
> > With recursive fragmentation it is possible that the initial payload ends
> > up exceeding the maximum packet length.  
> 
> Can you give an example? What is "recursive fragmentation"?
> 
> In my previous tests, all fragment packets with a payload length exceeding 65535 will be in the ip6_frag_queue
> 
> if ((unsigned int) end> IPV6_MAXPLEN)
> 
> Was discarded.
> 
> 

I get wary of any changes to fragmentation code. It has a long history
of bugs and is complex. See recent FragSmack for some backstory.

You need to split IPv4 and IPv6 parts into two different patches.
In the IPv4 part, you dropped the test for oversize IPv4 packet.

With raw packet tools it is possible to generate a packet that reassembles into
a packet larger than 64K.  An example is:

$ tshark -r oversize-ipv4.pcap 
    1   0.000000    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=0, ID=9b39)
    2   0.001615    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=1440, ID=9b39)
    3   0.004115    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=2920, ID=9b39)
    4   0.006502    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=4400, ID=9b39)
    5   0.008819    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=5880, ID=9b39)
    6   0.011178    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=7360, ID=9b39)
    7   0.013465    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=8840, ID=9b39)
    8   0.016040    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=10320, ID=9b39)
    9   0.018369    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=11800, ID=9b39)
   10   0.020679    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=13280, ID=9b39)
   11   0.022965    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=14760, ID=9b39)
   12   0.025186    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=16240, ID=9b39)
   13   0.027277    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=17720, ID=9b39)
   14   0.028917    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=19200, ID=9b39)
   15   0.030832    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=20680, ID=9b39)
   16   0.032232    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=22160, ID=9b39)
   17   0.033742    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=23640, ID=9b39)
   18   0.035106    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=25120, ID=9b39)
   19   0.036736    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=26600, ID=9b39)
   20   0.037728    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=28080, ID=9b39)
   21   0.038983    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=29560, ID=9b39)
   22   0.040007    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=31040, ID=9b39)
   23   0.041459    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=32520, ID=9b39)
   24   0.042833    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=34000, ID=9b39)
   25   0.044030    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=35480, ID=9b39)
   26   0.044909    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=36960, ID=9b39)
   27   0.045921    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=38440, ID=9b39)
   28   0.046767    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=39920, ID=9b39)
   29   0.047581    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=41400, ID=9b39)
   30   0.048610    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=42880, ID=9b39)
   31   0.049323    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=44360, ID=9b39)
   32   0.050102    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=45840, ID=9b39)
   33   0.051014    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=47320, ID=9b39)
   34   0.051787    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=48800, ID=9b39)
   35   0.052576    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=50280, ID=9b39)
   36   0.053448    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=51760, ID=9b39)
   37   0.054260    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=53240, ID=9b39)
   38   0.055036    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=54720, ID=9b39)
   39   0.055823    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=56200, ID=9b39)
   40   0.056614    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=57680, ID=9b39)
   41   0.057512    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=59160, ID=9b39)
   42   0.058313    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=60640, ID=9b39)
   43   0.059073    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=62120, ID=9b39)
   44   0.059945    127.0.0.1 → 127.0.0.1    IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=63600, ID=9b39)
   45   0.060705    127.0.0.1 → 127.0.0.1    TCP 469 16705 → 16705 [FIN, ECN, NS] Seq=1 Win=16705, bogus TCP header length (16, must be at least 20)

With current (correct) Linux kernel code this gets reassembled and dropped.
As seen in dmesg log and statistics.

With your Ipv4 patch the oversize packet gets passed on up the stack.

Testing this stuff is hard, it requires packet hacker tools.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ