| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Apr 2020 23:16:19 +0200
From: Toke Høiland-Jørgensen <toke@...hat.com>
To: davem@...emloft.net, jason@...c4.com
Cc: Toke Høiland-Jørgensen <toke@...hat.com>,
netdev@...r.kernel.org, wireguard@...ts.zx2c4.com,
Olivier Tilmans <olivier.tilmans@...ia-bell-labs.com>,
Dave Taht <dave.taht@...il.com>,
"Rodney W . Grimes" <ietf@...rsh.dnsmgr.net>
Subject: [PATCH net v2] wireguard: use tunnel helpers for decapsulating ECN markings
WireGuard currently only propagates ECN markings on tunnel decap according
to the old RFC3168 specification. However, the spec has since been updated
in RFC6040 to recommend slightly different decapsulation semantics. This
was implemented in the kernel as a set of common helpers for ECN
decapsulation, so let's just switch over WireGuard to using those, so it
can benefit from this enhancement and any future tweaks.
RFC6040 also recommends dropping packets on certain combinations of
erroneous code points on the inner and outer packet headers which shouldn't
appear in normal operation. The helper signals this by a return value > 1,
so also add a handler for this case.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Reported-by: Olivier Tilmans <olivier.tilmans@...ia-bell-labs.com>
Cc: Dave Taht <dave.taht@...il.com>
Cc: Rodney W. Grimes <ietf@...rsh.dnsmgr.net>
Signed-off-by: Toke Høiland-Jørgensen <toke@...hat.com>
---
v2:
- Don't log decap errors, and make sure they are recorded as frame errors,
not length errors.
drivers/net/wireguard/receive.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c
index da3b782ab7d3..ad36f358c807 100644
--- a/drivers/net/wireguard/receive.c
+++ b/drivers/net/wireguard/receive.c
@@ -393,13 +393,15 @@ static void wg_packet_consume_data_done(struct wg_peer *peer,
len = ntohs(ip_hdr(skb)->tot_len);
if (unlikely(len < sizeof(struct iphdr)))
goto dishonest_packet_size;
- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
- IP_ECN_set_ce(ip_hdr(skb));
+ if (INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds,
+ ip_hdr(skb)->tos) > 1)
+ goto ecn_decap_error;
} else if (skb->protocol == htons(ETH_P_IPV6)) {
len = ntohs(ipv6_hdr(skb)->payload_len) +
sizeof(struct ipv6hdr);
- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
- IP6_ECN_set_ce(skb, ipv6_hdr(skb));
+ if (INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds,
+ ipv6_get_dsfield(ipv6_hdr(skb))) > 1)
+ goto ecn_decap_error;
} else {
goto dishonest_packet_type;
}
@@ -437,6 +439,7 @@ static void wg_packet_consume_data_done(struct wg_peer *peer,
dishonest_packet_type:
net_dbg_ratelimited("%s: Packet is neither ipv4 nor ipv6 from peer %llu (%pISpfsc)\n",
dev->name, peer->internal_id, &peer->endpoint.addr);
+ecn_decap_error:
++dev->stats.rx_errors;
++dev->stats.rx_frame_errors;
goto packet_processed;
--
2.26.2
Powered by blists - more mailing lists