From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, Willem de Bruijn <willemb@google.com>
Subject: [PATCH net-next 1/3] icmp: revise rfc4884 tests
Date: Thu, 23 Jul 2020 10:33:55 -0400 [thread overview]
Message-ID: <20200723143357.451069-2-willemdebruijn.kernel@gmail.com> (raw)
In-Reply-To: <20200723143357.451069-1-willemdebruijn.kernel@gmail.com>
From: Willem de Bruijn <willemb@google.com>
1) Only accept packets with original datagram len field >= header len.
The extension header must start after the original datagram headers.
The embedded datagram len field is compared against the 128B minimum
stipulated by RFC 4884. It is unlikely that headers extend beyond
this. But as we know the exact header length, check explicitly.
2) Remove the check that datagram length must be <= 576B.
This is a send constraint. There is no value in testing this on rx.
Within private networks it may be known safe to send larger packets.
Process these packets.
This test was also too lax. It compared original datagram length
rather than entire icmp packet length. The stand-alone fix would be:
- if (hlen + skb->len > 576)
+ if (-skb_network_offset(skb) + skb->len > 576)
Fixes: eba75c587e81 ("icmp: support rfc 4884")
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
net/ipv4/icmp.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index fd2e7a3a9eb2..646d4fb72c07 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1199,16 +1199,12 @@ void ip_icmp_error_rfc4884(const struct sk_buff *skb,
return;
}
- /* outer headers up to inner iph. skb->data is at inner payload */
+ /* original datagram headers: end of icmph to payload (skb->data) */
hlen = -skb_transport_offset(skb) - sizeof(struct icmphdr);
- /* per rfc 791: maximum packet length of 576 bytes */
- if (hlen + skb->len > 576)
- return;
-
/* per rfc 4884: minimal datagram length of 128 bytes */
off = icmp_hdr(skb)->un.reserved[1] * sizeof(u32);
- if (off < 128)
+ if (off < 128 || off < hlen)
return;
/* kernel has stripped headers: return payload offset in bytes */
--
2.28.0.rc0.105.gf9edc3c819-goog
next prev parent reply other threads:[~2020-07-23 14:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-23 14:33 [PATCH net-next 0/3] icmp6: support rfc 4884 Willem de Bruijn
2020-07-23 14:33 ` Willem de Bruijn [this message]
2020-07-23 14:33 ` [PATCH net-next 2/3] icmp: prepare rfc 4884 for ipv6 Willem de Bruijn
2020-07-23 14:33 ` [PATCH net-next 3/3] icmp6: support rfc 4884 Willem de Bruijn
2020-07-23 16:44 ` Jakub Kicinski
2020-07-23 17:13 ` Willem de Bruijn
2020-07-24 2:25 ` kernel test robot
2020-07-24 2:25 ` kernel test robot
2020-07-24 4:33 ` kernel test robot
2020-07-24 4:33 ` kernel test robot
2020-07-24 4:33 ` [RFC PATCH] icmp6: ipv6_icmp_error_rfc4884() can be static kernel test robot
2020-07-24 4:33 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200723143357.451069-2-willemdebruijn.kernel@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.