lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8ab8b3b5-a582-4002-90d9-56beefc7c682@david-bauer.net>
Date: Mon, 1 Apr 2024 07:45:48 +0200
From: David Bauer <mail@...id-bauer.net>
To: Ratheesh Kannoth <rkannoth@...vell.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, amcohen@...dia.com, netdev@...r.kernel.org,
 Ido Schimmel <idosch@...dia.com>
Subject: Re: [PATCH net-next] vxlan: drop packets from invalid src-address

Hello Ratheesh,

On 4/1/24 05:04, Ratheesh Kannoth wrote:
> On 2024-04-01 at 02:44:34, David Bauer (mail@...id-bauer.net) wrote:
>> The VXLAN driver currently does not check if the inner layer2
>> source-address is valid.
>>
>> In case source-address snooping/learning is enabled, a entry in the FDB
>> for the invalid address is created with the layer3 address of the tunnel
>> endpoint.
> what is root cause of creation of invalid MAC from an L3 address ? could you
> add that as well to commit message.

I sadly can not elaborate on this further as the state happens sporadically
after weeks of operation. For more details, see

https://lore.kernel.org/all/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/T/

Best
David

> 
>>
>> If the frame happens to have a non-unicast address set, all this
>> non-unicast traffic is subsequently not flooded to the tunnel network
>> but sent to the learnt host in the FDB. To make matters worse, this FDB
>> entry does not expire.
>>
>> Apply the same filtering for packets as it is done for bridges. This not
>> only drops these invalid packets but avoids them from being learnt into
>> the FDB.
>>
>> Suggested-by: Ido Schimmel <idosch@...dia.com>
>> Signed-off-by: David Bauer <mail@...id-bauer.net>
>> ---
>>   drivers/net/vxlan/vxlan_core.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
>> index 3495591a5c29..ba319fc21957 100644
>> --- a/drivers/net/vxlan/vxlan_core.c
>> +++ b/drivers/net/vxlan/vxlan_core.c
>> @@ -1615,6 +1615,10 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan,
>>   	if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr))
>>   		return false;
>>
>> +	/* Ignore packets from invalid src-address */
>> +	if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
>> +		return false;
>> +
>>   	/* Get address from the outer IP header */
>>   	if (vxlan_get_sk_family(vs) == AF_INET) {
>>   		saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
>> --
>> 2.43.0
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ