lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 7 Jan 2020 10:05:18 -0800
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        David Ahern <dsahern@...il.com>
Cc:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: commit b9ef5513c99b breaks ping to ipv6 linklocal addresses on
 debian buster

On 1/6/2020 1:03 PM, Tetsuo Handa wrote:
> On 2020/01/07 1:41, David Ahern wrote:
>>>>  #ifdef SMACK_IPV6_SECMARK_LABELING
>>>>                 rsp = smack_ipv6host_label(sip);
>>>>
>>>>
>>>> ie., if the socket family is AF_INET6 the address length should be an
>>>> IPv6 address. The family in the sockaddr is not as important.
>>>>
>>> Commit b9ef5513c99b was wrong, but we need to also fix commit c673944347ed ?
>>>
>> not sure. I have not seen a problem related to it yet.
>>
> A sample program shown below is expected to return 0.
> Casey, what does smack wants to do for IPv4 address on IPv6 socket case?

Thank you, this program has been very helpful. The problematic
checks are supposed to be simply for data sanity, not security.
I think I've got the right set of checks figured out. I'll send
a patch for review once it tests out.

>
> ----------
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/un.h>
> #include <arpa/inet.h>
> #include <unistd.h>
>
> int main(int argc, char *argv[])
> {
>         const int fd1 = socket(PF_INET6, SOCK_DGRAM, 0);
>         const int fd2 = socket(PF_INET, SOCK_DGRAM, 0);
>         struct sockaddr_in addr1 = {
>                 .sin_family = AF_INET,
>                 .sin_addr.s_addr = htonl(INADDR_LOOPBACK),
>                 .sin_port = htons(10000)
>         };
>         struct sockaddr_in addr2 = { };
>         char c = 0;
>         struct iovec iov1 = { "", 1 };
>         struct iovec iov2 = { &c, 1 };
>         const struct msghdr msg1 = {
>                 .msg_iov = &iov1,
>                 .msg_iovlen = 1,
>                 .msg_name = &addr1,
>                 .msg_namelen = sizeof(addr1)
>         };
>         struct msghdr msg2 = {
>                 .msg_iov = &iov2,
>                 .msg_iovlen = 1,
>                 .msg_name = &addr2,
>                 .msg_namelen = sizeof(addr2)
>         };
>         if (bind(fd2, (struct sockaddr *) &addr1, sizeof(addr1)))
>                 return 1;
>         if (sendmsg(fd1, &msg1, 0) != 1 || recvmsg(fd2, &msg2, 0) != 1)
>                 return 1;
>         if (connect(fd1, (struct sockaddr *) &addr1, sizeof(addr1)))
>                 return 1;
>         if (send(fd1, "", 1, 0) != 1 || recv(fd2, &c, 1, 0) != 1)
>                 return 1;
>         return 0;
> }
> ----------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ