lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Yg0gmE8y4mweUNj1@salvia>
Date:   Wed, 16 Feb 2022 17:04:40 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Florian Westphal <fw@...len.de>
Cc:     Gal Pressman <gal@...dia.com>, netfilter-devel@...r.kernel.org,
        davem@...emloft.net, netdev@...r.kernel.org, kuba@...nel.org,
        kevmitch@...sta.com
Subject: Re: [PATCH net-next 01/14] netfilter: conntrack: mark UDP zero
 checksum as CHECKSUM_UNNECESSARY

On Wed, Feb 16, 2022 at 04:28:42PM +0100, Florian Westphal wrote:
> Gal Pressman <gal@...dia.com> wrote:
> 
> [ CC patch author ]
> 
> > > The udp_error function verifies the checksum of incoming UDP packets if
> > > one is set. This has the desirable side effect of setting skb->ip_summed
> > > to CHECKSUM_COMPLETE, signalling that this verification need not be
> > > repeated further up the stack.
> > >
> > > Conversely, when the UDP checksum is empty, which is perfectly legal (at least
> > > inside IPv4), udp_error previously left no trace that the checksum had been
> > > deemed acceptable.
> > >
> > > This was a problem in particular for nf_reject_ipv4, which verifies the
> > > checksum in nf_send_unreach() before sending ICMP_DEST_UNREACH. It makes
> > > no accommodation for zero UDP checksums unless they are already marked
> > > as CHECKSUM_UNNECESSARY.
> > >
> > > This commit ensures packets with empty UDP checksum are marked as
> > > CHECKSUM_UNNECESSARY, which is explicitly recommended in skbuff.h.
> > >
> > > Signed-off-by: Kevin Mitchell <kevmitch@...sta.com>
> > > Acked-by: Florian Westphal <fw@...len.de>
> > > Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> > > ---
> > >  net/netfilter/nf_conntrack_proto_udp.c | 4 +++-
> > >  1 file changed, 3 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
> > > index 3b516cffc779..12f793d8fe0c 100644
> > > --- a/net/netfilter/nf_conntrack_proto_udp.c
> > > +++ b/net/netfilter/nf_conntrack_proto_udp.c
> > > @@ -63,8 +63,10 @@ static bool udp_error(struct sk_buff *skb,
> > >  	}
> > >  
> > >  	/* Packet with no checksum */
> > > -	if (!hdr->check)
> > > +	if (!hdr->check) {
> > > +		skb->ip_summed = CHECKSUM_UNNECESSARY;
> > >  		return false;
> > > +	}
> > >  
> > >  	/* Checksum invalid? Ignore.
> > >  	 * We skip checking packets on the outgoing path
> > 
> > Hey,
> > 
> > I think this patch broke geneve tunnels, or possibly all udp tunnels?
> > 
> > A simple test that creates two geneve tunnels and runs tcp iperf fails
> > and results in checksum errors (TcpInCsumErrors).
> > 
> > Any idea how to solve that? Maybe 'skb->csum_level' needs some adjustments?
> 
> Probably better to revert and patch nf_reject instead to
> handle 0 udp csum?

Agreed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ