From: Daniel Borkmann <daniel@iogearbox.net>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
Neil Horman <nhorman@tuxdriver.com>
Cc: linux-sctp@vger.kernel.org, Vlad Yasevich <vyasevich@gmail.com>,
davem@davemloft.net, netdev@vger.kernel.org
Subject: Re: [PATCH] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket
Date: Wed, 27 May 2015 08:11:16 +0000 [thread overview]
Message-ID: <55657C24.1010601@iogearbox.net> (raw)
In-Reply-To: <20150526233017.GB22391@obsidianresearch.com>
On 05/27/2015 01:30 AM, Jason Gunthorpe wrote:
> sctp_v4_map_v6 was subtly writing and reading from members
> of a union in a way the clobbered data it needed to read before
s/the/that/
> it read it.
>
> Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
> that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
> result.
>
> Reorder things to guarantee correct behaviour no matter what the
> union layout is.
>
> This impacts user space clients that open an IPv6 SCTP socket and
> receive IPv4 connections. Prior to 299ee user space would see a
> sockaddr with AF_INET and a correct address, after 299ee the sockaddr
> is AF_INET6, but the address is wrong.
>
> Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API)
> Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
> ---
> include/net/sctp/sctp.h | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> This bugfix should be a candidate for -stable
>
> diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
> index 856f01cb51dd..230775f5952a 100644
> --- a/include/net/sctp/sctp.h
> +++ b/include/net/sctp/sctp.h
> @@ -571,11 +571,14 @@ static inline void sctp_v6_map_v4(union sctp_addr *addr)
> /* Map v4 address to v4-mapped v6 address */
> static inline void sctp_v4_map_v6(union sctp_addr *addr)
> {
> + __be16 port;
> +
> + port = addr->v4.sin_port;
> + addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
> + addr->v6.sin6_port = port;
> addr->v6.sin6_family = AF_INET6;
> addr->v6.sin6_flowinfo = 0;
> addr->v6.sin6_scope_id = 0;
> - addr->v6.sin6_port = addr->v4.sin_port;
> - addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
Change looks good to me. You actually would only need to address
the issue where the v4.sin_addr is copied before you overwrite/zero
the flowinfo as only these two overlap in the union. Given that
sockaddr_in and sockaddr_in6 are exported to uapi, they are immutable,
but I see the point that union sctp_addr is kernel private - bad
things happen if v4/v6 don't overlap the way anymore as they'd do
now. ;)
Anyways:
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
> addr->v6.sin6_addr.s6_addr32[0] = 0;
> addr->v6.sin6_addr.s6_addr32[1] = 0;
> addr->v6.sin6_addr.s6_addr32[2] = htonl(0x0000ffff);
>
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Borkmann <daniel@iogearbox.net>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
Neil Horman <nhorman@tuxdriver.com>
Cc: linux-sctp@vger.kernel.org, Vlad Yasevich <vyasevich@gmail.com>,
davem@davemloft.net, netdev@vger.kernel.org
Subject: Re: [PATCH] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket
Date: Wed, 27 May 2015 10:11:16 +0200 [thread overview]
Message-ID: <55657C24.1010601@iogearbox.net> (raw)
In-Reply-To: <20150526233017.GB22391@obsidianresearch.com>
On 05/27/2015 01:30 AM, Jason Gunthorpe wrote:
> sctp_v4_map_v6 was subtly writing and reading from members
> of a union in a way the clobbered data it needed to read before
s/the/that/
> it read it.
>
> Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
> that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
> result.
>
> Reorder things to guarantee correct behaviour no matter what the
> union layout is.
>
> This impacts user space clients that open an IPv6 SCTP socket and
> receive IPv4 connections. Prior to 299ee user space would see a
> sockaddr with AF_INET and a correct address, after 299ee the sockaddr
> is AF_INET6, but the address is wrong.
>
> Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API)
> Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
> ---
> include/net/sctp/sctp.h | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> This bugfix should be a candidate for -stable
>
> diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
> index 856f01cb51dd..230775f5952a 100644
> --- a/include/net/sctp/sctp.h
> +++ b/include/net/sctp/sctp.h
> @@ -571,11 +571,14 @@ static inline void sctp_v6_map_v4(union sctp_addr *addr)
> /* Map v4 address to v4-mapped v6 address */
> static inline void sctp_v4_map_v6(union sctp_addr *addr)
> {
> + __be16 port;
> +
> + port = addr->v4.sin_port;
> + addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
> + addr->v6.sin6_port = port;
> addr->v6.sin6_family = AF_INET6;
> addr->v6.sin6_flowinfo = 0;
> addr->v6.sin6_scope_id = 0;
> - addr->v6.sin6_port = addr->v4.sin_port;
> - addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
Change looks good to me. You actually would only need to address
the issue where the v4.sin_addr is copied before you overwrite/zero
the flowinfo as only these two overlap in the union. Given that
sockaddr_in and sockaddr_in6 are exported to uapi, they are immutable,
but I see the point that union sctp_addr is kernel private - bad
things happen if v4/v6 don't overlap the way anymore as they'd do
now. ;)
Anyways:
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
> addr->v6.sin6_addr.s6_addr32[0] = 0;
> addr->v6.sin6_addr.s6_addr32[1] = 0;
> addr->v6.sin6_addr.s6_addr32[2] = htonl(0x0000ffff);
>
next prev parent reply other threads:[~2015-05-27 8:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-26 23:30 [PATCH] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket Jason Gunthorpe
2015-05-26 23:30 ` Jason Gunthorpe
2015-05-27 8:11 ` Daniel Borkmann [this message]
2015-05-27 8:11 ` Daniel Borkmann
2015-05-27 9:06 ` David Laight
2015-05-27 9:34 ` Daniel Borkmann
2015-05-27 9:34 ` Daniel Borkmann
2015-05-27 10:11 ` David Laight
2015-05-27 15:32 ` Jason Gunthorpe
2015-05-27 15:32 ` Jason Gunthorpe
2015-05-27 16:16 ` David Laight
2015-05-27 16:31 ` Jason Gunthorpe
2015-05-27 16:31 ` Jason Gunthorpe
2015-05-27 16:41 ` David Laight
2015-05-27 17:04 ` Jason Gunthorpe
2015-05-27 17:04 ` Jason Gunthorpe
2015-05-28 8:58 ` David Laight
2015-05-27 14:06 ` Neil Horman
2015-05-27 14:06 ` Neil Horman
2015-05-27 18:17 ` David Miller
2015-05-27 18:17 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55657C24.1010601@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.