lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210126141248.GA27281@optiplex>
Date:   Tue, 26 Jan 2021 15:12:49 +0100
From:   Oliver Graute <oliver.graute@...il.com>
To:     kernelnewbies@...nelnewbies.org, netdev@...r.kernel.org
Cc:     kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org,
        jakub@...udflare.com, pabeni@...hat.com
Subject: UDP implementation and the MSG_MORE flag

Hello,

we observe some unexpected behavior in the UDP implementation of the
linux kernel.

Some UDP packets send via the loopback interface are dropped in the
kernel on the receive side when using sendto with the MSG_MORE flag.
Every drop increases the InCsumErrors in /proc/self/net/snmp. Some
example code to reproduce it is appended below.

In the code we tracked it down to this code section. ( Even a little
further but its unclear to me wy the csum() is wrong in the bad case)

udpv6_recvmsg()
...
if (checksum_valid || udp_skb_csum_unnecessary(skb)) {
		if (udp_skb_is_linear(skb))
			err = copy_linear_skb(skb, copied, off, &msg->msg_iter);
		else
			err = skb_copy_datagram_msg(skb, off, msg, copied);
	} else {
		err = skb_copy_and_csum_datagram_msg(skb, off, msg);
		if (err == -EINVAL) {
			goto csum_copy_err;
		}
	}
...


Perhaps someone with deeper knowledge can comment on this and can explain
us the reason of this behavior.

Best regards,

Oliver


udp-send.c

#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <poll.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/un.h>
#include <unistd.h>

#define BUFFSIZE 512*1024

int main(int argc, char** argv)
{
    int fd = 0;
    int port = 0;
    char *buffer;
    struct sockaddr_in addr;
    ssize_t addrlen = 0;

    if(argc == 2)
    {
        port = atoi(argv[1]);
    }
    else
    {
        port = 4711;
    }

    fd = socket(PF_INET, SOCK_DGRAM, 0);
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = inet_addr("127.0.0.1");
    addrlen = sizeof(addr);

    buffer = malloc(BUFFSIZE);
    if (!buffer) {
        return 0;
    }

    printf("\nsending BROKEN segmented testdata on local port %i \n", port);
    snprintf(buffer, BUFFSIZE, "start-data {\n");
    sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
    snprintf(buffer, BUFFSIZE, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
    sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
    snprintf(buffer, BUFFSIZE, "}\n");
    sendto(fd, buffer, strlen(buffer), 0, (struct sockaddr *) &addr, addrlen);

    printf("\nsending VALID segmented testdata on local port %i \n", port);
    snprintf(buffer, BUFFSIZE, "start-data {\n");
    sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
    snprintf(buffer, BUFFSIZE, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
    sendto(fd, buffer, strlen(buffer), MSG_MORE, (struct sockaddr *) &addr, addrlen);
    snprintf(buffer, BUFFSIZE, "}\n");
    sendto(fd, buffer, strlen(buffer), 0, (struct sockaddr *) &addr, addrlen);

    printf("\nsending VALID unsegmented testdata on local port %i \n", port);
    snprintf(buffer, BUFFSIZE, "start-data {\n");
    snprintf(buffer + strlen(buffer), BUFFSIZE - strlen(buffer), "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
    snprintf(buffer+ strlen(buffer), BUFFSIZE - strlen(buffer), "}\n");
    sendto(fd, buffer, strlen(buffer), 0, (struct sockaddr *) &addr, addrlen);

    free(buffer);
    return 0;
}
-------

udp-receive.c 

#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <poll.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/un.h>
#include <unistd.h>

int main(int argc, char** argv)
{
    int fd = 0;
    int arg = 0;
    int ret = 0;
    struct sockaddr_in addr;
    ssize_t addrlen = 0;
    int port = 0;
    char *buffer;
    char *printbuffer;
    int recvlen = 0;

    if(argc == 2)
    {
        port = atoi(argv[1]);
    }
    else
    {
        port = 4711;
    }

    fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = inet_addr("0.0.0.0");
    addrlen = sizeof(addr);

    buffer = malloc(65536);
    if (!buffer) {
        return 0;
    }

    printbuffer = malloc(65537);
    if (!printbuffer) {
        return 0;
    }

    if(fd)
    {
        printf("\nbinding to local port %i \n", port);
        //bind
        ret = bind(fd, (struct sockaddr *)&addr, addrlen);
        printf("result error %i, errno %i\n", ret, errno);

        do {
            recvlen = recvfrom(fd, buffer, 65536, 0, NULL, NULL);

            if (recvlen >0) {
                printf("\nreceived %i bytes of data:\n", recvlen);

                memset(printbuffer, 0, 65537);
                memcpy(printbuffer, buffer, recvlen);

                printf("%s\n", printbuffer);
            }
            else if(recvlen < 0) {
                printf("\n receive error %i, errno %i\n", recvlen, errno);
            }
        } while(1);

        close(fd);
    }
    else
    {
        printf("\nerror creating socket\n");
    }
    
    free(buffer);
    free(printbuffer);
    return 0;
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ