lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 26 Aug 2020 10:40:44 +0200
From:   Steffen Klassert <>
To:     Sabrina Dubroca <>
CC:     Bram Yvakh <>, <>,
Subject: Re: [PATCH ipsec] xfrmi: drop ignore_df check before updating pmtu

On Mon, Aug 10, 2020 at 02:20:20PM +0200, Sabrina Dubroca wrote:
> 2020-08-07, 17:41:09 +0200, Bram Yvakh wrote:
> If the packet doesn't have the DF bit set (so the stack can fragment
> the packet at will), or if the stack decided that it can ignore it and
> fragment anyway, there's no need to check the mtu, because we'll
> fragment the packet when we need. Otherwise, we're not allowed to
> fragment, so we have to check the packet's size against the mtu.
> > In other words: 'xfrm4_tunnel_check_size' only cares about the mtu if ignore_df isn't set.
> > The original code in 'xfrmi_xmit2': only checks the mtu if ignore_df isn't set. (-> looks consistent)
> Except that we reset skb->ignore_df in between (just after the mtu
> handling in xfrmi_xmit2, via xfrmi_scrub_packet).

I guess the problem appears with a local ping, right?
Does 'ping -M do' work?

Looks like the comment in __ip_make_skb() on ignore_df
is not true for packets that are sent through a virtual
interface that increases the packet size. It says:

/* Unless user demanded real pmtu discovery (IP_PMTUDISC_DO), we allow
 * to fragment the frame generated here. No matter, what transforms
 * how transforms change size of the packet, it will come out.

If we reset ignore_df before we can fragment it, the packet
won't come out.

I tend to apply your patch because it makes xfrmi consistend with
vti, but that might not be the end of the story. We will then signal
PMTU events also to sockets that can't handle it. Unfortunately, we
can't fragment before we send the packets into the interface, as
we don't know their final size. Alternatively, we can keep the
ignore_df on th skb and fragment the encapsulated packet later on.
But this has problems on its own...

Powered by blists - more mailing lists