lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 27 Jul 2020 11:40:09 +0200
From:   Tobias Brunner <tobias@...ongswan.org>
To:     Steffen Klassert <steffen.klassert@...unet.com>,
        Sabrina Dubroca <sd@...asysnail.net>
Cc:     netdev@...r.kernel.org, Paul Wouters <paul@...ats.ca>,
        Andrew Cagney <andrew.cagney@...il.com>
Subject: Re: [RFC PATCH ipsec] xfrm: don't pass too short packets to userspace
 with ESPINUDP encap

>> Currently, any UDP-encapsulated packet of 8 bytes or less will be
>> passed to userspace, whether it starts with the non-ESP prefix or
>> not (except keepalives). This includes:
>>  - messages of 1, 2, 3 bytes
>>  - messages of 4 to 8 bytes not starting with 00 00 00 00
>>
>> This patch changes that behavior, so that only properly-formed non-ESP
>> messages are passed to userspace. Messages of 8 bytes or less that
>> don't contain a full non-ESP prefix followed by some data (at least
>> one byte) will be dropped and counted as XfrmInHdrError.
> 
> I'm ok with that change. But it affects userspace, so the *swan
> people have to tell if that's ok for them.

Yes, no problem from strongSwan's side.  Packets shorter than 4 bytes
are immediately dropped anyway, the others when attempting to parse as
IKE messages (already the initiator IKE SPI, with which they start, is 8
bytes long).

Regards,
Tobias

Powered by blists - more mailing lists