| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZhZhXFdOVZ5QDfww@shredder>
Date: Wed, 10 Apr 2024 12:52:28 +0300
From: Ido Schimmel <idosch@...dia.com>
To: David Bauer <mail@...id-bauer.net>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, amcohen@...dia.com, netdev@...r.kernel.org
Subject: Re: [PATCH net] vxlan: drop packets from invalid src-address
On Wed, Apr 10, 2024 at 03:09:17AM +0200, David Bauer wrote:
> The VXLAN driver currently does not check if the inner layer2
> source-address is valid.
>
> In case source-address snooping/learning is enabled, a entry in the FDB
> for the invalid address is created with the layer3 address of the tunnel
> endpoint.
>
> If the frame happens to have a non-unicast address set, all this
> non-unicast traffic is subsequently not flooded to the tunnel network
> but sent to the learnt host in the FDB. To make matters worse, this FDB
> entry does not expire.
>
> Apply the same filtering for packets as it is done for bridges. This not
> only drops these invalid packets but avoids them from being learnt into
> the FDB.
>
> Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
>
> Suggested-by: Ido Schimmel <idosch@...dia.com>
> Signed-off-by: David Bauer <mail@...id-bauer.net>
Reviewed-by: Ido Schimmel <idosch@...dia.com>
Code looks fine, but there shouldn't be a blank line between the Fixes
tag and the other tags. Please wait 24h before reposting unless one of
the maintainers says otherwise:
https://docs.kernel.org/process/maintainer-netdev.html
Thanks
Powered by blists - more mailing lists