lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jan 2022 08:35:19 +0100 From: Steffen Klassert <steffen.klassert@...unet.com> To: Jiri Bohac <jbohac@...e.cz> CC: Sabrina Dubroca <sd@...asysnail.net>, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, "Mike Maloney" <maloneykernel@...il.com>, Eric Dumazet <eric.dumazet@...il.com>, <netdev@...r.kernel.org> Subject: Re: [PATCH] xfrm: fix MTU regression On Fri, Jan 14, 2022 at 06:40:58PM +0100, Jiri Bohac wrote: > Commit 749439bfac6e1a2932c582e2699f91d329658196 ("ipv6: fix udpv6 > sendmsg crash caused by too small MTU") breaks PMTU for xfrm. > > A Packet Too Big ICMPv6 message received in response to an ESP > packet will prevent all further communication through the tunnel > if the reported MTU minus the ESP overhead is smaller than 1280. > > E.g. in a case of a tunnel-mode ESP with sha256/aes the overhead > is 92 bytes. Receiving a PTB with MTU of 1371 or less will result > in all further packets in the tunnel dropped. A ping through the > tunnel fails with "ping: sendmsg: Invalid argument". > > Apparently the MTU on the xfrm route is smaller than 1280 and > fails the check inside ip6_setup_cork() added by 749439bf. > > We found this by debugging USGv6/ipv6ready failures. Failing > tests are: "Phase-2 Interoperability Test Scenario IPsec" / > 5.3.11 and 5.4.11 (Tunnel Mode: Fragmentation). > > Commit b515d2637276a3810d6595e10ab02c13bfd0b63a ("xfrm: > xfrm_state_mtu should return at least 1280 for ipv6") attempted > to fix this but caused another regression in TCP MSS calculations > and had to be reverted. > > The patch below fixes the situation by dropping the MTU > check and instead checking for the underflows described in the > 749439bf commit message. > > Signed-off-by: Jiri Bohac <jbohac@...e.cz> Can you please add a 'Fixes:' tag so that it can be backported to the stable trees? Btw. this fixes a xfrm issue, but touches only generic IPv6 code. To which tree should this patch be applied? I can take it to the ipsec tee, but would also be ok if it is applied directly to the net tree.
Powered by blists - more mailing lists