lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <212f8956-0c8b-569e-781f-80216f858dc8@katalix.com>
Date: Tue, 30 Apr 2024 17:37:31 +0100
From: James Chapman <jchapman@...alix.com>
To: Tom Parkin <tparkin@...alix.com>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] l2tp: fix ICMP error handling for UDP-encap
 sockets

On 30/04/2024 15:03, Tom Parkin wrote:
> Since commit a36e185e8c85
> ("udp: Handle ICMP errors for tunnels with same destination port on both endpoints")
> UDP's handling of ICMP errors has allowed for UDP-encap tunnels to
> determine socket associations in scenarios where the UDP hash lookup
> could not.
>
> Subsequently, commit d26796ae58940
> ("udp: check udp sock encap_type in __udp_lib_err")
> subtly tweaked the approach such that UDP ICMP error handling would be
> skipped for any UDP socket which has encapsulation enabled.
>
> In the case of L2TP tunnel sockets using UDP-encap, this latter
> modification effectively broke ICMP error reporting for the L2TP
> control plane.
>
> To a degree this isn't catastrophic inasmuch as the L2TP control
> protocol defines a reliable transport on top of the underlying packet
> switching network which will eventually detect errors and time out.
>
> However, paying attention to the ICMP error reporting allows for more
> timely detection of errors in L2TP userspace, and aids in debugging
> connectivity issues.
>
> Reinstate ICMP error handling for UDP encap L2TP tunnels:
>
>   * implement struct udp_tunnel_sock_cfg .encap_err_rcv in order to allow
>     the L2TP code to handle ICMP errors;
>
>   * only implement error-handling for tunnels which have a managed
>     socket: unmanaged tunnels using a kernel socket have no userspace to
>     report errors back to;
>
>   * flag the error on the socket, which allows for userspace to get an
>     error such as -ECONNREFUSED back from sendmsg/recvmsg;
>
>   * pass the error into ip[v6]_icmp_error() which allows for userspace to
>     get extended error information via. MSG_ERRQUEUE.
>
> Fixes: d26796ae5894 ("udp: check udp sock encap_type in __udp_lib_err")
> Signed-off-by: Tom Parkin <tparkin@...alix.com>

Reviewed-by: James Chapman <jchapman@...alix.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ