From: Daniel Borkmann <daniel@iogearbox.net>
To: Sowmini Varadhan <sowmini.varadhan@oracle.com>,
linux-kselftest@vger.kernel.org, netdev@vger.kernel.org
Cc: willemb@google.com, davem@davemloft.net, shuah@kernel.org
Subject: Re: [PATCH v3 net-next 1/2] tools: psock_lib: tighten conditions checked in sock_setfilter
Date: Wed, 04 Jan 2017 23:16:23 +0100 [thread overview]
Message-ID: <586D7437.1050708@iogearbox.net> (raw)
In-Reply-To: <3aa068fa482f7cf5381957e9a3ea58550822d1d1.1483555162.git.sowmini.varadhan@oracle.com>
On 01/04/2017 07:45 PM, Sowmini Varadhan wrote:
> The bpf_prog used in sock_setfilter() only attempts to check for
> ip pktlen, and verifies that the contents of the 80'th packet in
> the ethernet frame is 'a' or 'b'. Thus many non-udp packets
> could incorrectly pass through this filter and cause incorrect
> test results.
>
> This commit hardens the conditions checked by the filter so
> that only UDP/IPv4 packets with the matching length and test-character
> will be permitted by the filter. The filter has been cleaned up
> to explicitly use the BPF macros to make it more readable.
>
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
> Acked-by: Willem de Bruijn <willemb@google.com>
> ---
> v2: commit comment edited based on Willem de Bruijn review
> v3: Shuah Khan nit.
>
> tools/testing/selftests/net/psock_lib.h | 29 ++++++++++++++++++++++-------
> 1 files changed, 22 insertions(+), 7 deletions(-)
>
> diff --git a/tools/testing/selftests/net/psock_lib.h b/tools/testing/selftests/net/psock_lib.h
> index 24bc7ec..9e5553a 100644
> --- a/tools/testing/selftests/net/psock_lib.h
> +++ b/tools/testing/selftests/net/psock_lib.h
> @@ -27,6 +27,7 @@
> #include <string.h>
> #include <arpa/inet.h>
> #include <unistd.h>
> +#include <netinet/udp.h>
>
> #define DATA_LEN 100
> #define DATA_CHAR 'a'
> @@ -40,14 +41,28 @@
>
> static __maybe_unused void sock_setfilter(int fd, int lvl, int optnum)
> {
> + uint16_t ip_len = DATA_LEN +
> + sizeof(struct iphdr) +
> + sizeof(struct udphdr);
> + /* the filter below checks for all of the following conditions that
> + * are based on the contents of create_payload()
> + * ether type 0x800 and
> + * ip proto udp and
> + * ip len == ip_len and
> + * udp[38] == 'a' or udp[38] == 'b'
> + */
> struct sock_filter bpf_filter[] = {
> - { 0x80, 0, 0, 0x00000000 }, /* LD pktlen */
> - { 0x35, 0, 4, DATA_LEN }, /* JGE DATA_LEN [f goto nomatch]*/
> - { 0x30, 0, 0, 0x00000050 }, /* LD ip[80] */
> - { 0x15, 1, 0, DATA_CHAR }, /* JEQ DATA_CHAR [t goto match]*/
> - { 0x15, 0, 1, DATA_CHAR_1}, /* JEQ DATA_CHAR_1 [t goto match]*/
> - { 0x06, 0, 0, 0x00000060 }, /* RET match */
> - { 0x06, 0, 0, 0x00000000 }, /* RET no match */
> + BPF_STMT(BPF_LD | BPF_H | BPF_ABS, 12), /* LD ethertype */
> + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, ETH_P_IP, 0, 8),
> + BPF_STMT(BPF_LD|BPF_B|BPF_ABS, 23), /* LD ip_proto */
> + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, IPPROTO_UDP, 0, 6),
> + BPF_STMT(BPF_LD|BPF_H|BPF_ABS, 16), /* LD ip_len */
> + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, ip_len, 0, 4),
> + BPF_STMT(BPF_LD|BPF_B|BPF_ABS, 80), /* LD udp[38] */
> + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, DATA_CHAR, 1, 0),
> + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, DATA_CHAR_1, 0, 1),
> + BPF_STMT(BPF_RET | BPF_K, ~0), /* match */
> + BPF_STMT(BPF_RET | BPF_K, 0) /* no match */
Just reading up on the thread, sorry to jump in late. Can't you just
use the generated code from bpf_asm (tools/net/) and add the asm program
as a comment above? Something like we do in net/core/ptp_classifier.c +13.
As it stands it makes it a bit harder to parse / less readable with macros
actually. Rest seems fine, thanks.
> };
> struct sock_fprog bpf_prog;
>
>
next prev parent reply other threads:[~2017-01-04 22:16 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-04 18:45 [PATCH v3 net-next 0/2] tools: psock_tpacket bug fixes Sowmini Varadhan
2017-01-04 18:45 ` [PATCH v3 net-next 1/2] tools: psock_lib: tighten conditions checked in sock_setfilter Sowmini Varadhan
2017-01-04 22:16 ` Daniel Borkmann [this message]
2017-01-04 22:22 ` Sowmini Varadhan
2017-01-04 22:26 ` Daniel Borkmann
2017-01-04 22:48 ` Sowmini Varadhan
2017-01-04 22:59 ` Daniel Borkmann
2017-01-04 22:37 ` Shuah Khan
2017-01-04 22:49 ` Sowmini Varadhan
2017-01-04 22:55 ` Sowmini Varadhan
2017-01-04 23:26 ` Shuah Khan
2017-01-05 15:54 ` Sowmini Varadhan
2017-01-05 18:46 ` Shuah Khan
2017-01-04 18:45 ` [PATCH v3 net-next 2/2] tools: psock_tpacket: block Rx until socket filter has been added and socket has been bound to loopback Sowmini Varadhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=586D7437.1050708@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=sowmini.varadhan@oracle.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.