From: Simon Horman <simon.horman@netronome.com>
To: Tom Herbert <tom@quantonium.net>
Cc: davem@davemloft.net, netdev@vger.kernel.org,
alex.popov@linux.com, hannes@stressinduktion.org
Subject: Re: [PATCH net-next 2/2] flow_dissector: Add limits for encapsulation and EH
Date: Fri, 1 Sep 2017 14:22:43 +0200 [thread overview]
Message-ID: <20170901122241.GA4938@vergenet.net> (raw)
In-Reply-To: <20170831222239.21509-3-tom@quantonium.net>
On Thu, Aug 31, 2017 at 03:22:39PM -0700, Tom Herbert wrote:
> In flow dissector there are no limits to the number of nested
> encapsulations that might be dissected which makes for a nice DOS
> attack. This patch limits for dissecting nested encapsulations
> as well as for dissecting over extension headers.
>
> Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Signed-off-by: Tom Herbert <tom@quantonium.net>
> ---
> net/core/flow_dissector.c | 48 ++++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 45 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index 5110180a3e96..1bca748de27d 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -396,6 +396,35 @@ __skb_flow_dissect_ipv6(const struct sk_buff *skb,
> key_ip->ttl = iph->hop_limit;
> }
>
> +/* Maximum number of nested encapsulations that can be processed in
> + * __skb_flow_dissect
> + */
> +#define MAX_FLOW_DISSECT_ENCAPS 5
> +
> +static bool skb_flow_dissect_encap_allowed(int *num_encaps, unsigned int *flags)
> +{
> + ++*num_encaps;
> +
> + if (*num_encaps >= MAX_FLOW_DISSECT_ENCAPS) {
> + if (*num_encaps == MAX_FLOW_DISSECT_ENCAPS) {
> + /* Allow one more pass but ignore disregard
It seems that 'ignore' or 'disregard' should be dropped from the text above.
> + * further encapsulations
> + */
> + *flags |= FLOW_DISSECTOR_F_STOP_AT_ENCAP;
> + } else {
> + /* Max encaps reached */
> + return false;
There are two spaces between 'return' and 'false'.
...
next prev parent reply other threads:[~2017-09-01 12:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-31 22:22 [PATCH net-next 0/2] flow_dissector: Flow dissector fixes Tom Herbert
2017-08-31 22:22 ` [PATCH net-next 1/2] flow_dissector: Cleanup control flow Tom Herbert
2017-09-01 12:26 ` Simon Horman
2017-09-01 12:35 ` Hannes Frederic Sowa
2017-09-01 16:12 ` Tom Herbert
2017-08-31 22:22 ` [PATCH net-next 2/2] flow_dissector: Add limits for encapsulation and EH Tom Herbert
2017-09-01 12:22 ` Simon Horman [this message]
2017-09-01 13:32 ` Hannes Frederic Sowa
2017-09-01 15:38 ` Tom Herbert
2017-09-01 16:35 ` Hannes Frederic Sowa
2017-09-01 16:49 ` Tom Herbert
2017-09-01 17:05 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170901122241.GA4938@vergenet.net \
--to=simon.horman@netronome.com \
--cc=alex.popov@linux.com \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.