lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <55c4c96e-c11f-49d7-8207-4f5179d380a7@uliege.be>
Date: Fri, 21 Nov 2025 19:55:27 +0100
From: Justin Iurman <justin.iurman@...ege.be>
To: David Ahern <dsahern@...nel.org>, davem@...emloft.net
Cc: netdev@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH net] uapi: ioam6: adjust the maximum size of a schema

On 11/21/25 17:38, David Ahern wrote:
> On 11/21/25 2:23 AM, Justin Iurman wrote:
>> On 11/20/25 17:33, Justin Iurman wrote:
>>> With IPv6, the maximum size of the IOAM Pre-allocated Trace is 244 bytes
>>> (see IOAM6_TRACE_DATA_SIZE_MAX), due to IPv6 Options length constraint.
>>> However, RFC9197 defines the Opaque State Snapshot (i.e., a data field
>>> that may be added by IOAM nodes in the pre-allocated trace) as follows:
>>>
>>>       0                   1                   2                   3
>>>       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>      |   Length      |                     Schema ID                 |
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>      |                                                               |
>>>      ~                        Opaque data                            ~
>>>      |                                                               |
>>>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>      Length:
>>>         1-octet unsigned integer.  It is the length in multiples of 4
>>>         octets of the Opaque data field that follows Schema ID.
>>>
>>>      Schema ID:
>>>         3-octet unsigned integer identifying the schema of Opaque data.
>>>
>>>      Opaque data:
>>>         Variable-length field.  This field is interpreted as specified by
>>>         the schema identified by the Schema ID.
>>>
>>> Based on that, IOAM6_MAX_SCHEMA_DATA_LEN was initially set to 1020 bytes
>>> (i.e., 255 * 4), which is already bigger than what is allowed in a
>>> pre-allocated trace. As a result, if the Opaque State Snapshot (i.e.,
>>> schema) configured on an IOAM node exceeds 244 bytes, it would just
>>> skip the insertion of its data. This patch sets a more realistic
>>> boundary to avoid any confusion. Now, IOAM6_MAX_SCHEMA_DATA_LEN is set
>>> to 240 bytes (i.e., IOAM6_TRACE_DATA_SIZE_MAX - 4, to account for its
>>> 4-byte header).
>>>
>>> Fixes: 8c6f6fa67726 ("ipv6: ioam: IOAM Generic Netlink API")
>>> Signed-off-by: Justin Iurman <justin.iurman@...ege.be>
>>> ---
>>> Cc: Jakub Kicinski <kuba@...nel.org>
>>> Cc: Paolo Abeni <pabeni@...hat.com>
>>> ---
>>>    include/uapi/linux/ioam6_genl.h | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/include/uapi/linux/ioam6_genl.h
>>> b/include/uapi/linux/ioam6_genl.h
>>> index 1733fbc51fb5..ce3d8bdabd3b 100644
>>> --- a/include/uapi/linux/ioam6_genl.h
>>> +++ b/include/uapi/linux/ioam6_genl.h
>>> @@ -19,7 +19,7 @@ enum {
>>>        IOAM6_ATTR_NS_DATA,    /* u32 */
>>>        IOAM6_ATTR_NS_DATA_WIDE,/* u64 */
>>>    -#define IOAM6_MAX_SCHEMA_DATA_LEN (255 * 4)
>>> +#define IOAM6_MAX_SCHEMA_DATA_LEN 240
>>>        IOAM6_ATTR_SC_ID,    /* u32 */
>>>        IOAM6_ATTR_SC_DATA,    /* Binary */
>>>        IOAM6_ATTR_SC_NONE,    /* Flag */
>>
>> So, just to clarify, I know such changes in the uapi are generally
>> prohibited. However, in this specific context, I don't believe it breaks
>> backward compatibility (IMO). But I may be wrong...
>>
>> Adding David to get his opinion from iproute2's point of view.
>>
>> If we don't want to go that way, the alternative solution is to submit a
>> patch to net-next that adds a new constant IOAM6_MAX_SCHEMA_DATA_LEN_NEW
>> (=240) and a comment "/* Deprecated */" next to
>> IOAM6_MAX_SCHEMA_DATA_LEN. Then, submit a patch to iproute2-next to use
>> IOAM6_MAX_SCHEMA_DATA_LEN_NEW instead of IOAM6_MAX_SCHEMA_DATA_LEN.
> 
> It's been 4+ years since 8c6f6fa67726 went in; I think that is way too
> long to try to make a change to the uapi like this.

You're right, it might be too risky. Besides, the current code (i.e., 
IOAM6_MAX_SCHEMA_DATA_LEN=1020) doesn't break anything per se, it was 
mainly for convenience. Do you think it would be OK to introduce a new 
constant in the uapi, as suggested above? Or did your comment also apply 
to that part?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ