| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Oct 2020 18:07:38 +0800
From: Hangbin Liu <liuhangbin@...il.com>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Jakub Kicinski <kuba@...nel.org>,
Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment
don't include all headers
On Thu, Oct 08, 2020 at 11:47:00AM +0200, Eric Dumazet wrote:
>
>
> On 10/8/20 10:30 AM, Hangbin Liu wrote:
> >>> @@ -282,6 +285,21 @@ static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev,
> >>> }
> >>> }
> >>>
> >>> + /* RFC 8200, Section 4.5 Fragment Header:
> >>> + * If the first fragment does not include all headers through an
> >>> + * Upper-Layer header, then that fragment should be discarded and
> >>> + * an ICMP Parameter Problem, Code 3, message should be sent to
> >>> + * the source of the fragment, with the Pointer field set to zero.
> >>> + */
> >>> + nexthdr = hdr->nexthdr;
> >>> + offset = ipv6_skip_exthdr(skb, skb_transport_offset(skb), &nexthdr, &frag_off);
> >>> + if (frag_off == htons(IP6_MF) && !pskb_may_pull(skb, offset + 1)) {
> >>> + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
> >>> + icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0);
> >>> + rcu_read_unlock();
> >>> + return NULL;
> >>> + }
> >>> +
> >>> rcu_read_unlock();
> >>>
> >>> /* Must drop socket now because of tproxy. */
> >>>
> >>
> >> Ouch, this is quite a buggy patch.
> >>
> >> I doubt we want to add yet another ipv6_skip_exthdr() call in IPv6 fast path.
> >>
> >> Surely the presence of NEXTHDR_FRAGMENT is already tested elsewhere ?
> >
> > Would you like to help point where NEXTHDR_FRAGMENT was tested before IPv6
> > defragment?
> I think we have to ask the question : Should routers enforce the rule, or
> only end points ?
>From IPv6 Core Conformance test[1], it applied to both router and host(It will
marked specifically if a test only for router).
>
> End points must handle NEXTHDR_FRAGMENT, in ipv6_frag_rcv()
Yes, I was also try put the check there, but it looks that would be too late
if module nf_defrag_ipv6 loaded
> >> Also ipv6_skip_exthdr() can return an error.
> >
> > it returns -1 as error, If we tested it by (offset + 1 > skb->len), does
> > that count as an error handler?
>
> If there is an error, then you want to send the ICMP, right ?
No, this is only for fragment header with no enough Upper-Layer header, which need
send ICMP Parameter Problem, Code 3 specifically. For other errors, I guess
the other code will take care of it.
So for -1 return, I just skipped it.
>
> The (offset + 1) expression will become 0, and surely the test will be false,
> so you wont send the ICMP...
[1] v6LC.1.3.6: First Fragment Doesn’t Contain All Headers part A, B,
C and D at https://ipv6ready.org/docs/Core_Conformance_5_0_0.pdf
Thanks
Hangbin
Powered by blists - more mailing lists