lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 5 May 2020 10:09:12 -0700
From:   sdf@...gle.com
To:     Andrey Ignatov <rdna@...com>
Cc:     netdev@...r.kernel.org, bpf@...r.kernel.org, davem@...emloft.net,
        ast@...nel.org, daniel@...earbox.net
Subject: Re: [PATCH bpf-next 4/4] bpf: allow any port in bpf_bind helper

On 05/05, Stanislav Fomichev wrote:
> On 05/04, Andrey Ignatov wrote:
> > Stanislav Fomichev <sdf@...gle.com> [Mon, 2020-05-04 10:34 -0700]:
> > > [...]
> > > diff --git a/net/core/filter.c b/net/core/filter.c
> > > index fa9ddab5dd1f..fc5161b9ff6a 100644
> > > --- a/net/core/filter.c
> > > +++ b/net/core/filter.c
> > > @@ -4527,29 +4527,24 @@ BPF_CALL_3(bpf_bind, struct  
> bpf_sock_addr_kern *, ctx, struct sockaddr *, addr,
> > >  	struct sock *sk = ctx->sk;
> > >  	int err;
> > >
> > > -	/* Binding to port can be expensive so it's prohibited in the  
> helper.
> > > -	 * Only binding to IP is supported.
> > > -	 */
> > >  	err = -EINVAL;
> > >  	if (addr_len < offsetofend(struct sockaddr, sa_family))
> > >  		return err;
> > >  	if (addr->sa_family == AF_INET) {
> > >  		if (addr_len < sizeof(struct sockaddr_in))
> > >  			return err;
> > > -		if (((struct sockaddr_in *)addr)->sin_port != htons(0))
> > > -			return err;
> > >  		return __inet_bind(sk, addr, addr_len,
> > > +				   BIND_FROM_BPF |
> > >  				   BIND_FORCE_ADDRESS_NO_PORT);
> >
> > Should BIND_FORCE_ADDRESS_NO_PORT be passed only if port is zero?
> > Passing non zero port and BIND_FORCE_ADDRESS_NO_PORT at the same time
> > looks confusing (even though it works).
> Makes sense, will remove it here, thx.
Looking at it some more, I think we need to always have that
BIND_FORCE_ADDRESS_NO_PORT. Otherwise, it might regress your
usecase with zero port:

   if (snum || !(inet->bind_address_no_port ||
                (flags & BIND_FORCE_ADDRESS_NO_PORT)))

If snum == 0 we want to have either the flag on or
IP_BIND_ADDRESS_NO_PORT being set on the socket to prevent the port
allocation a bind time.

If snum != 0, BIND_FORCE_ADDRESS_NO_PORT doesn't matter and the port
is passed as an argument. We don't need to search for a free one, just
to confirm it's not used.

Am I missing something?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ