Re: Broken commit: [NETFILTER]: ipt_REJECT: remove largely duplicate route_reverse function

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Krzysztof Halasa <khc@pm.waw.pl>
Cc: David Miller <davem@davemloft.net>,
	lkml <linux-kernel@vger.kernel.org>,
	netdev@vger.kernel.org,
	Netfilter Development Mailinglist
	<netfilter-devel@lists.netfilter.org>
Subject: Re: Broken commit: [NETFILTER]: ipt_REJECT: remove largely duplicate route_reverse function
Date: Wed, 29 Nov 2006 03:28:25 +0100	[thread overview]
Message-ID: <456CF049.7040407@trash.net> (raw)
In-Reply-To: <m3slg3ktvw.fsf@defiant.localdomain>

[-- Attachment #1: Type: text/plain, Size: 1663 bytes --]

Krzysztof Halasa wrote:
> Patrick McHardy <kaber@trash.net> writes:
> 
> 
>>It might be the case that your network device has a
>>hard_header_len > LL_MAX_HEADER, which could trigger
>>a corruption.
> 
> 
> Hmm... GRE tunnels add 24 bytes... I just noticed the following code in
> include/linux/netdevice.h:
> 
> /*
>  *      Compute the worst case header length according to the protocols
>  *      used.
>  */
> #if !defined(CONFIG_NET_IPIP) && \
>     !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE)
> #define MAX_HEADER LL_MAX_HEADER
> #else
> #define MAX_HEADER (LL_MAX_HEADER + 48)
> #endif
> 
> I don't use AX25, Token Ring, the old IPIP tunnels nor IPv6 here, but
> I wonder if GRE tunnel (which is basically another, more compatible
> form of IPIP) need the same treatment as IPIP.

Both ipip and gre do this:

dev->hard_header_len    = LL_MAX_HEADER + sizeof(struct iphdr);



which explains it. It is a bug in the REJECT target, but I was
wondering whether you were really seeing this. It looks like
it makes sense to add GRE to the MAX_HEADER case above though.

>>Please try this patch on top of the REJECT patch (ideally after
>>verifying that the REJECT patch is really introducing the
>>corruption).
> 
> 
> That was certain. The patch fixed the problem, confirmed with current
> git tree as well. Thanks for looking at it.

Thanks. Dave, please apply this patch.

[NETFILTER]: ipt_REJECT: fix memory corruption

On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder()
reallocates the skb, leading to memory corruption when using the stale
tcph pointer to update the checksum.

Signed-off-by: Patrick McHardy <kaber@trash.net>


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1060 bytes --]

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index ad0312d..264763a 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -114,6 +114,14 @@ static void send_reset(struct sk_buff *o
 	tcph->window = 0;
 	tcph->urg_ptr = 0;
 
+	/* Adjust TCP checksum */
+	tcph->check = 0;
+	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
+				   nskb->nh.iph->saddr,
+				   nskb->nh.iph->daddr,
+				   csum_partial((char *)tcph,
+						sizeof(struct tcphdr), 0));
+
 	/* Set DF, id = 0 */
 	nskb->nh.iph->frag_off = htons(IP_DF);
 	nskb->nh.iph->id = 0;
@@ -129,14 +137,8 @@ #endif
 	if (ip_route_me_harder(&nskb, addr_type))
 		goto free_nskb;
 
-	/* Adjust TCP checksum */
 	nskb->ip_summed = CHECKSUM_NONE;
-	tcph->check = 0;
-	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-				   nskb->nh.iph->saddr,
-				   nskb->nh.iph->daddr,
-				   csum_partial((char *)tcph,
-						sizeof(struct tcphdr), 0));
+
 	/* Adjust IP TTL */
 	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);

next prev parent reply	other threads:[~2006-11-29  2:28 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-28 18:30 Broken commit: [NETFILTER]: ipt_REJECT: remove largely duplicate route_reverse function Krzysztof Halasa
2006-11-28 19:58 ` Patrick McHardy
2006-11-28 20:48   ` Krzysztof Halasa
2006-11-28 21:45     ` Patrick McHardy
2006-11-28 23:56       ` Krzysztof Halasa
2006-11-29  2:28         ` Patrick McHardy [this message]
2006-11-29  4:25           ` David Miller
2006-11-29  4:38             ` Herbert Xu
2006-11-29  4:44               ` David Miller
2006-11-29  4:56                 ` Herbert Xu
2006-11-29  5:04                   ` David Miller
2006-11-29  6:51                     ` Herbert Xu
2006-12-01  4:22                       ` David Miller
2006-12-01  4:37                         ` Herbert Xu
2006-12-12  1:33                           ` David Miller
2006-11-29  7:35             ` Jarek Poplawski
2006-11-29 15:06               ` Krzysztof Halasa
2006-11-29 15:16                 ` Krzysztof Halasa
2006-11-30  8:31                   ` Jarek Poplawski

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ad0312d dfblob:264763a )
 OR (
bs:"Re: Broken commit: [NETFILTER]: ipt_REJECT: remove largely duplicate route_reverse function" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=456CF049.7040407@trash.net \
    --to=kaber@trash.net \
    --cc=davem@davemloft.net \
    --cc=khc@pm.waw.pl \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.