From: Eric Dumazet <eric.dumazet@gmail.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH] AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
Date: Wed, 28 Oct 2009 22:01:08 +0100 [thread overview]
Message-ID: <4AE8B114.6050504@gmail.com> (raw)
In-Reply-To: <20091028185947.GA12675@hmsreliant.think-freely.org>
Neil Horman a écrit :
>
>> I believe we should drop the request, since padding it is not what was expected by user.
>
> Yeah, I had a feeling. Ok, version 2, this time drop the invalid frame and
> report it to user space, instead of expanding it:
>
>
> Augment raw_send_hdrinc to correct for incorrect ip header length values
>
> A series of oopses was reported to me recently. Apparently when using AF_RAW
> sockets to send data to peers that were reachable via ipsec encapsulation,
> people could panic or BUG halt their systems.
>
> I've tracked the problem down to user space sending an invalid ip header over an
> AF_RAW socket with IP_HDRINCL set to 1.
>
> Basically what happens is that userspace sends down an ip frame that includes
> only the header (no data), but sets the ip header ihl value to a large number,
> one that is larger than the total amount of data passed to the sendmsg call. In
> raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
> that was passed in, but assume the data is all valid. Later during ipsec
> encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
> to provide headroom for the ipsec headers. During this operation, the
> skb->transport_header is repointed to a spot computed by
> skb->network_header + the ip header length (ihl). Since so little data was
> passed in relative to the value of ihl provided by the raw socket, we point
> transport header to an unknown location, resulting in various crashes.
>
> This fix for this is pretty straightforward, simply validate the value of of
> iph->ihl when sending over a raw socket. If (iph->ihl*4U) > user data buffer
> size, drop the frame and return -EINVAL. I just confirmed this fixes the
> reported crashes.
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
next prev parent reply other threads:[~2009-10-28 21:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-28 17:39 [PATCH] AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl Neil Horman
2009-10-28 18:13 ` Eric Dumazet
2009-10-28 18:59 ` [PATCH] AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2) Neil Horman
2009-10-28 21:01 ` Eric Dumazet [this message]
2009-10-29 8:10 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AE8B114.6050504@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.