| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Jan 2021 15:12:49 +0100
From: Oliver Graute <oliver.graute@...il.com>
To: kernelnewbies@...nelnewbies.org, netdev@...r.kernel.org
Cc: kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org,
jakub@...udflare.com, pabeni@...hat.com
Subject: UDP implementation and the MSG_MORE flag
Hello,
we observe some unexpected behavior in the UDP implementation of the
linux kernel.
Some UDP packets send via the loopback interface are dropped in the
kernel on the receive side when using sendto with the MSG_MORE flag.
Every drop increases the InCsumErrors in /proc/self/net/snmp. Some
example code to reproduce it is appended below.
In the code we tracked it down to this code section. ( Even a little
further but its unclear to me wy the csum() is wrong in the bad case)
udpv6_recvmsg()
...
if (checksum_valid || udp_skb_csum_unnecessary(skb)) {
if (udp_skb_is_linear(skb))
err = copy_linear_skb(skb, copied, off, &msg->msg_iter);
else
err = skb_copy_datagram_msg(skb, off, msg, copied);
} else {
err = skb_copy_and_csum_datagram_msg(skb, off, msg);
if (err == -EINVAL) {
goto csum_copy_err;
}
}
...
Perhaps someone with deeper knowledge can comment on this and can explain
us the reason of this behavior.
Best regards,
Oliver
udp-send.c
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <poll.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/un.h>
#include <unistd.h>
#define BUFFSIZE 512*1024
int main(int argc, char** argv)
{
int fd = 0;
int port = 0;
char *buffer;
struct sockaddr_in addr;
ssize_t addrlen = 0;
if(argc == 2)
{
port = atoi(argv[1]);
}
else
{
port = 4711;
}
fd = socket(PF_INET, SOCK_DGRAM, 0);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
addrlen = sizeof(addr);
buffer = malloc(BUFFSIZE);
if (!buffer) {
return 0;
}
printf("\nsending BROKEN segmented testdata on local port %i \n", port);
snprintf(buffer, BUFFSIZE, "start-data {\n");
sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
snprintf(buffer, BUFFSIZE, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
snprintf(buffer, BUFFSIZE, "}\n");
sendto(fd, buffer, strlen(buffer), 0, (struct sockaddr *) &addr, addrlen);
printf("\nsending VALID segmented testdata on local port %i \n", port);
snprintf(buffer, BUFFSIZE, "start-data {\n");
sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
snprintf(buffer, BUFFSIZE, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
snprintf(buffer, BUFFSIZE, "}\n");
sendto(fd, buffer, strlen(buffer), 0, (struct sockaddr *) &addr, addrlen);
printf("\nsending VALID unsegmented testdata on local port %i \n", port);
snprintf(buffer, BUFFSIZE, "start-data {\n");
snprintf(buffer + strlen(buffer), BUFFSIZE - strlen(buffer), "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
snprintf(buffer+ strlen(buffer), BUFFSIZE - strlen(buffer), "}\n");
sendto(fd, buffer, strlen(buffer), 0, (struct sockaddr *) &addr, addrlen);
free(buffer);
return 0;
}
-------
udp-receive.c
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <poll.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/un.h>
#include <unistd.h>
int main(int argc, char** argv)
{
int fd = 0;
int arg = 0;
int ret = 0;
struct sockaddr_in addr;
ssize_t addrlen = 0;
int port = 0;
char *buffer;
char *printbuffer;
int recvlen = 0;
if(argc == 2)
{
port = atoi(argv[1]);
}
else
{
port = 4711;
}
fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr("0.0.0.0");
addrlen = sizeof(addr);
buffer = malloc(65536);
if (!buffer) {
return 0;
}
printbuffer = malloc(65537);
if (!printbuffer) {
return 0;
}
if(fd)
{
printf("\nbinding to local port %i \n", port);
//bind
ret = bind(fd, (struct sockaddr *)&addr, addrlen);
printf("result error %i, errno %i\n", ret, errno);
do {
recvlen = recvfrom(fd, buffer, 65536, 0, NULL, NULL);
if (recvlen >0) {
printf("\nreceived %i bytes of data:\n", recvlen);
memset(printbuffer, 0, 65537);
memcpy(printbuffer, buffer, recvlen);
printf("%s\n", printbuffer);
}
else if(recvlen < 0) {
printf("\n receive error %i, errno %i\n", recvlen, errno);
}
} while(1);
close(fd);
}
else
{
printf("\nerror creating socket\n");
}
free(buffer);
free(printbuffer);
return 0;
}
Powered by blists - more mailing lists