| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aLBQLVEAqLOHl15T@strlen.de> Date: Thu, 28 Aug 2025 14:48:45 +0200 From: Florian Westphal <fw@...len.de> To: Fabian Bläse <fabian@...ese.de> Cc: netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, "Jason A. Donenfeld" <Jason@...c4.com> Subject: Re: [PATCH v3] icmp: fix icmp_ndo_send address translation for reply direction Fabian Bläse <fabian@...ese.de> wrote: > The icmp_ndo_send function was originally introduced to ensure proper > rate limiting when icmp_send is called by a network device driver, > where the packet's source address may have already been transformed > by SNAT. > > However, the original implementation only considers the > IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's > source address with that of the original-direction tuple. This causes > two problems: > > 1. For SNAT: > Reply-direction packets were incorrectly translated using the source > address of the CT original direction, even though no translation is > required. > > 2. For DNAT: > Reply-direction packets were not handled at all. In DNAT, the original > direction's destination is translated. Therefore, in the reply > direction the source address must be set to the reply-direction > source, so rate limiting works as intended. > > Fix this by using the connection direction to select the correct tuple > for source address translation, and adjust the pre-checks to handle > reply-direction packets in case of DNAT. > > Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids > possible KCSAN reports about concurrent updates to `ct->status`. Reviewed-by: Florian Westphal <fw@...len.de>
Powered by blists - more mailing lists