lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240426204101.GE516117@kernel.org>
Date: Fri, 26 Apr 2024 21:41:01 +0100
From: Simon Horman <horms@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netdev@...r.kernel.org, davem@...emloft.net, laforge@...ocom.org,
	pespin@...mocom.de, osmith@...mocom.de, kuba@...nel.org,
	pabeni@...hat.com, edumazet@...gle.com, fw@...len.de
Subject: Re: [PATCH net-next 04/12] gtp: add IPv6 support

On Thu, Apr 25, 2024 at 12:51:30PM +0200, Pablo Neira Ayuso wrote:
> Add new iflink attributes to configure in-kernel UDP listener socket
> address: IFLA_GTP_LOCAL and IFLA_GTP_LOCAL6. If none of these attributes
> are specified, default is still to IPv4 INADDR_ANY for backward
> compatibility.
> 
> Add new attributes to set up family and IPv6 address of GTP tunnels:
> GTPA_FAMILY, GTPA_PEER_ADDR6 and GTPA_MS_ADDR6. If no GTPA_FAMILY is
> specified, AF_INET is assumed for backward compatibility.
> 
> setsockopt IPV6_ADDRFORM allows to downgrade socket from IPv6 to IPv4
> after socket is bound. Assumption is that socket listener that is
> attached to the gtp device needs to be either IPv4 or IPv6. Therefore,
> GTP socket listener does not allow for IPv4-mapped-IPv6 listener.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> ---
>  drivers/net/gtp.c            | 390 ++++++++++++++++++++++++++++++++---
>  include/uapi/linux/gtp.h     |   3 +
>  include/uapi/linux/if_link.h |   2 +
>  3 files changed, 368 insertions(+), 27 deletions(-)
> 
> diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
> index 1c4429d24cfc..69d865e592df 100644
> --- a/drivers/net/gtp.c
> +++ b/drivers/net/gtp.c
> @@ -24,6 +24,7 @@
>  #include <net/net_namespace.h>
>  #include <net/protocol.h>
>  #include <net/ip.h>
> +#include <net/ipv6.h>
>  #include <net/udp.h>
>  #include <net/udp_tunnel.h>
>  #include <net/icmp.h>
> @@ -52,9 +53,11 @@ struct pdp_ctx {
>  
>  	union {
>  		struct in_addr	addr;
> +		struct in6_addr	addr6;
>  	} ms;
>  	union {
>  		struct in_addr	addr;
> +		struct in6_addr	addr6;
>  	} peer;
>  
>  	struct sock		*sk;
> @@ -131,6 +134,11 @@ static inline u32 ipv4_hashfn(__be32 ip)
>  	return jhash_1word((__force u32)ip, gtp_h_initval);
>  }
>  
> +static inline u32 ipv6_hashfn(const struct in6_addr *ip6)
> +{
> +	return jhash(ip6, sizeof(*ip6), gtp_h_initval);
> +}
> +

Hi Pablo,

I'm would naively expect that the compiler can work out if this needs to
be inline.

>  /* Resolve a PDP context structure based on the 64bit TID. */
>  static struct pdp_ctx *gtp0_pdp_find(struct gtp_dev *gtp, u64 tid)
>  {

...

> @@ -878,6 +951,20 @@ static inline void gtp_set_pktinfo_ipv4(struct gtp_pktinfo *pktinfo,
>  	pktinfo->dev	= dev;
>  }
>  
> +static inline void gtp_set_pktinfo_ipv6(struct gtp_pktinfo *pktinfo,
> +					struct sock *sk, struct ipv6hdr *ip6h,
> +					struct pdp_ctx *pctx, struct rt6_info *rt6,
> +					struct flowi6 *fl6,
> +					struct net_device *dev)
> +{
> +	pktinfo->sk	= sk;
> +	pktinfo->ip6h	= ip6h;
> +	pktinfo->pctx	= pctx;
> +	pktinfo->rt6	= rt6;
> +	pktinfo->fl6	= *fl6;
> +	pktinfo->dev	= dev;
> +}

Here too.

...

> @@ -1441,7 +1736,14 @@ static struct pdp_ctx *gtp_pdp_add(struct gtp_dev *gtp, struct sock *sk,
>  		if (!pctx)
>  			pctx = pctx_tid;
>  
> -		ipv4_pdp_fill(pctx, info);
> +		switch (pctx->af) {
> +		case AF_INET:
> +			ipv4_pdp_fill(pctx, info);
> +			break;
> +		case AF_INET6:
> +			ipv6_pdp_fill(pctx, info);
> +			break;
> +		}
>  
>  		if (pctx->gtp_version == GTP_V0)
>  			netdev_dbg(dev, "GTPv0-U: update tunnel id = %llx (pdp %p)\n",

The code just before the following hunk is:

	pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC);
	if (pctx == NULL)
		return ERR_PTR(-ENOMEM);


> @@ -1461,7 +1763,24 @@ static struct pdp_ctx *gtp_pdp_add(struct gtp_dev *gtp, struct sock *sk,
>  	sock_hold(sk);
>  	pctx->sk = sk;
>  	pctx->dev = gtp->dev;
> -	ipv4_pdp_fill(pctx, info);
> +	pctx->af = family;
> +
> +	switch (pctx->af) {
> +	case AF_INET:
> +		if (!info->attrs[GTPA_MS_ADDRESS] ||
> +		    !info->attrs[GTPA_PEER_ADDRESS])
> +			return ERR_PTR(-EINVAL);

So this appears to leak pctx.

> +
> +		ipv4_pdp_fill(pctx, info);
> +		break;
> +	case AF_INET6:
> +		if (!info->attrs[GTPA_MS_ADDR6] ||
> +		    !info->attrs[GTPA_PEER_ADDR6])
> +			return ERR_PTR(-EINVAL);

Likewise here.

Flagged by Smatch.

> +
> +		ipv6_pdp_fill(pctx, info);
> +		break;
> +	}
>  	atomic_set(&pctx->tx_seq, 0);
>  
>  	switch (pctx->gtp_version) {

...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ