From: Arnaldo Carvalho de Melo <acme@redhat.com>
To: dccp@vger.kernel.org
Subject: Re: [DCCP]: Fix skb->cb conflicts with IP
Date: Fri, 04 Apr 2008 13:47:11 +0000 [thread overview]
Message-ID: <20080404134711.GB5989@ghostprotocols.net> (raw)
In-Reply-To: <47F61B5C.8090105@trash.net>
Em Fri, Apr 04, 2008 at 02:25:25PM +0100, Gerrit Renker escreveu:
> Arnaldo,
>
> just a thought - I recall that there used to be a bug related to this,
> which required to insert the following before sending an skb:
>
> memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt))
>
> This was about 1+1/2 .. 2 years ago and lead to crashes when the memset
> was removed. Maybe with this solution the memsets are then no longer
> necessary? The reference is
> * output.c:dccp_transmit_skb()
> * ipv4.c:dccp_v4_send_response()
Well spotted, yes, those can now be safely removed, since we don't touch
the initial inet6?_skb_parm area it will remain as zeros (alloc_skb did
that for us) and we don't have to zero it anymore before passing it to
IP.
- Arnaldo
> Gerrit
>
> | commit eced67957ee99f7b5fafdc73a58bcd037a1789b2
> | Author: Patrick McHardy <kaber@trash.net>
> | Date: Fri Apr 4 14:10:23 2008 +0200
> |
> | [DCCP]: Fix skb->cb conflicts with IP
> |
> | dev_queue_xmit() and the other IP output functions expect to get a skb
> | with clear or properly initialized skb->cb. Unlike TCP and UDP, the
> | dccp_skb_cb doesn't contain a struct inet_skb_parm at the beginning,
> | so the DCCP-specific data is interpreted by the IP output functions.
> | This can cause false negatives for the conditional POST_ROUTING hook
> | invocation, making the packet bypass the hook.
> |
> | Add a inet_skb_parm/inet6_skb_parm union to the beginning of
> | dccp_skb_cb to avoid clashes. Also add a BUILD_BUG_ON to make
> | sure it fits in the cb.
> |
> | Signed-off-by: Patrick McHardy <kaber@trash.net>
> |
> | diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
> | index fe7726b..f44d492 100644
> | --- a/net/dccp/dccp.h
> | +++ b/net/dccp/dccp.h
> | @@ -325,6 +325,12 @@ static inline int dccp_bad_service_code(const struct sock *sk,
> | * This is used for transmission as well as for reception.
> | */
> | struct dccp_skb_cb {
> | + union {
> | + struct inet_skb_parm h4;
> | +#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
> | + struct inet6_skb_parm h6;
> | +#endif
> | + } header;
> | __u8 dccpd_type:4;
> | __u8 dccpd_ccval:4;
> | __u8 dccpd_reset_code,
> | diff --git a/net/dccp/proto.c b/net/dccp/proto.c
> | index e3f5d37..c91d3c1 100644
> | --- a/net/dccp/proto.c
> | +++ b/net/dccp/proto.c
> | @@ -1057,6 +1057,9 @@ static int __init dccp_init(void)
> | int ehash_order, bhash_order, i;
> | int rc = -ENOBUFS;
> |
> | + BUILD_BUG_ON(sizeof(struct dccp_skb_cb) >
> | + FIELD_SIZEOF(struct sk_buff, cb));
> | +
> | dccp_hashinfo.bind_bucket_cachep > | kmem_cache_create("dccp_bind_bucket",
> | sizeof(struct inet_bind_bucket), 0,
>
>
> --
>
>
> The University of Aberdeen is a charity registered in Scotland, No SC013683.
>
WARNING: multiple messages have this Message-ID (diff)
From: Arnaldo Carvalho de Melo <acme@redhat.com>
To: Gerrit Renker <gerrit@erg.abdn.ac.uk>,
Patrick McHardy <kaber@trash.net>,
dccp@vger.kernel.org, Linux Netdev List <netdev@vger.kernel.org>
Subject: Re: [DCCP]: Fix skb->cb conflicts with IP
Date: Fri, 4 Apr 2008 10:47:11 -0300 [thread overview]
Message-ID: <20080404134711.GB5989@ghostprotocols.net> (raw)
In-Reply-To: <20080404132525.GB29904@gerrit.erg.abdn.ac.uk>
Em Fri, Apr 04, 2008 at 02:25:25PM +0100, Gerrit Renker escreveu:
> Arnaldo,
>
> just a thought - I recall that there used to be a bug related to this,
> which required to insert the following before sending an skb:
>
> memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt))
>
> This was about 1+1/2 .. 2 years ago and lead to crashes when the memset
> was removed. Maybe with this solution the memsets are then no longer
> necessary? The reference is
> * output.c:dccp_transmit_skb()
> * ipv4.c:dccp_v4_send_response()
Well spotted, yes, those can now be safely removed, since we don't touch
the initial inet6?_skb_parm area it will remain as zeros (alloc_skb did
that for us) and we don't have to zero it anymore before passing it to
IP.
- Arnaldo
> Gerrit
>
> | commit eced67957ee99f7b5fafdc73a58bcd037a1789b2
> | Author: Patrick McHardy <kaber@trash.net>
> | Date: Fri Apr 4 14:10:23 2008 +0200
> |
> | [DCCP]: Fix skb->cb conflicts with IP
> |
> | dev_queue_xmit() and the other IP output functions expect to get a skb
> | with clear or properly initialized skb->cb. Unlike TCP and UDP, the
> | dccp_skb_cb doesn't contain a struct inet_skb_parm at the beginning,
> | so the DCCP-specific data is interpreted by the IP output functions.
> | This can cause false negatives for the conditional POST_ROUTING hook
> | invocation, making the packet bypass the hook.
> |
> | Add a inet_skb_parm/inet6_skb_parm union to the beginning of
> | dccp_skb_cb to avoid clashes. Also add a BUILD_BUG_ON to make
> | sure it fits in the cb.
> |
> | Signed-off-by: Patrick McHardy <kaber@trash.net>
> |
> | diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
> | index fe7726b..f44d492 100644
> | --- a/net/dccp/dccp.h
> | +++ b/net/dccp/dccp.h
> | @@ -325,6 +325,12 @@ static inline int dccp_bad_service_code(const struct sock *sk,
> | * This is used for transmission as well as for reception.
> | */
> | struct dccp_skb_cb {
> | + union {
> | + struct inet_skb_parm h4;
> | +#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
> | + struct inet6_skb_parm h6;
> | +#endif
> | + } header;
> | __u8 dccpd_type:4;
> | __u8 dccpd_ccval:4;
> | __u8 dccpd_reset_code,
> | diff --git a/net/dccp/proto.c b/net/dccp/proto.c
> | index e3f5d37..c91d3c1 100644
> | --- a/net/dccp/proto.c
> | +++ b/net/dccp/proto.c
> | @@ -1057,6 +1057,9 @@ static int __init dccp_init(void)
> | int ehash_order, bhash_order, i;
> | int rc = -ENOBUFS;
> |
> | + BUILD_BUG_ON(sizeof(struct dccp_skb_cb) >
> | + FIELD_SIZEOF(struct sk_buff, cb));
> | +
> | dccp_hashinfo.bind_bucket_cachep =
> | kmem_cache_create("dccp_bind_bucket",
> | sizeof(struct inet_bind_bucket), 0,
>
>
> --
>
>
> The University of Aberdeen is a charity registered in Scotland, No SC013683.
>
next prev parent reply other threads:[~2008-04-04 13:47 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-04 12:13 [DCCP]: Fix skb->cb conflicts with IP Patrick McHardy
2008-04-04 12:13 ` Patrick McHardy
2008-04-04 13:25 ` Gerrit Renker
2008-04-04 13:25 ` Gerrit Renker
2008-04-04 13:26 ` Arnaldo Carvalho de Melo
2008-04-04 13:26 ` Arnaldo Carvalho de Melo
2008-04-04 13:40 ` Patrick McHardy
2008-04-04 13:40 ` Patrick McHardy
2008-04-04 13:47 ` Arnaldo Carvalho de Melo [this message]
2008-04-04 13:47 ` Arnaldo Carvalho de Melo
2008-04-11 13:41 ` Patrick McHardy
2008-04-11 13:41 ` Patrick McHardy
2008-04-11 13:59 ` Gerrit Renker
2008-04-11 13:59 ` Gerrit Renker
2008-04-11 14:03 ` Patrick McHardy
2008-04-11 14:03 ` Patrick McHardy
2008-04-11 14:05 ` Arnaldo Carvalho de Melo
2008-04-11 14:05 ` Arnaldo Carvalho de Melo
2008-04-11 18:24 ` David Miller
2008-04-11 18:24 ` David Miller
2008-04-13 1:35 ` David Miller
2008-04-13 1:35 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080404134711.GB5989@ghostprotocols.net \
--to=acme@redhat.com \
--cc=dccp@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.