From: Bowers, AndrewX <andrewx.bowers@intel.com>
To: intel-wired-lan@osuosl.org
Subject: [Intel-wired-lan] [PATCH v3 net-next 7/7] ip6tlvs: Validation of TX Destination and Hop-by-Hop options
Date: Thu, 22 Aug 2019 17:19:16 +0000 [thread overview]
Message-ID: <47586f3eabf94339b5b74160cc5c7ee8@intel.com> (raw)
In-Reply-To: <1566254665-5200-8-git-send-email-tom@herbertland.com>
> -----Original Message-----
> From: Intel-wired-lan [mailto:intel-wired-lan-bounces at osuosl.org] On
> Behalf Of Tom Herbert
> Sent: Monday, August 19, 2019 3:44 PM
> To: Intel-wired-lan at lists.osuosl.org
> Cc: Tom Herbert <tom@herbertland.com>; Tom Herbert
> <tom@quantonium.net>
> Subject: [Intel-wired-lan] [PATCH v3 net-next 7/7] ip6tlvs: Validation of TX
> Destination and Hop-by-Hop options
>
> From: Tom Herbert <tom@quantonium.net>
>
> Validate Destination and Hop-by-Hop options. This uses the information in
> the TLV parameters table to validate various aspects of both individual TLVs
> as well as a list of TLVs in an extension header.
>
> There are two levels of validation that can be performed: simple checks and
> deep checks. Simple checks validate only the most basic properties such as
> that the TLV list fits into the EH. Deep checks do a fine grained validation that
> includes perferred ordering, length limits, and length alignment.
>
> With proper permissions set in the TLV parameter table, this patch allows
> non-privileged users to send TLVs. Given that TLVs are open ended and
> potentially a source of DOS attack, deep checks are performed to limit the
> format that a non-privileged user can send.
> If deep checks are enabled, a canonical format for sending TLVs is enforced
> (in adherence with the robustness principle). A TLV must be well ordered
> with respect to the preferred order for the TLV.
> Each TLV must be aligned as described in the parameter table. Minimal
> padding (one padding TLV) is used to align TLVs. The length of the extension
> header as well as the count of non-padding TLVs is checked against
> max_*_opts_len and max_*_opts_cnt. For individual TLVs, length limits and
> length alignment is checked.
>
> Signed-off-by: Tom Herbert <tom@herbertland.com>
> ---
> include/net/ipeh.h | 22 +++
> net/ipv6/datagram.c | 51 +++++--
> net/ipv6/exthdrs_common.c | 382
> ++++++++++++++++++++++++++++++++++++++++++++++
> net/ipv6/ipv6_sockglue.c | 39 ++---
> 4 files changed, 455 insertions(+), 39 deletions(-)
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
prev parent reply other threads:[~2019-08-22 17:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-19 22:44 [Intel-wired-lan] [PATCH v3 net-next 0/7] ipv6: Extension header infrastructure Tom Herbert
2019-08-19 22:44 ` [Intel-wired-lan] [PATCH v3 net-next 1/7] ipeh: Create exthdrs_options.c and ipeh.h Tom Herbert
2019-08-22 17:13 ` Bowers, AndrewX
2019-08-19 22:44 ` [Intel-wired-lan] [PATCH v3 net-next 2/7] ipeh: Move generic EH functions to exthdrs_common.c Tom Herbert
2019-08-22 17:13 ` Bowers, AndrewX
2019-08-19 22:44 ` [Intel-wired-lan] [PATCH v3 net-next 3/7] ipeh: Generic TLV parser Tom Herbert
2019-08-22 17:17 ` Bowers, AndrewX
2019-08-19 22:44 ` [Intel-wired-lan] [PATCH v3 net-next 4/7] ip6tlvs: Registration of TLV handlers and parameters Tom Herbert
2019-08-22 17:17 ` Bowers, AndrewX
2019-08-19 22:44 ` [Intel-wired-lan] [PATCH v3 net-next 5/7] ip6tlvs: Add TX parameters Tom Herbert
2019-08-22 17:18 ` Bowers, AndrewX
2019-08-19 22:44 ` [Intel-wired-lan] [PATCH v3 net-next 6/7] ip6tlvs: Add netlink interface Tom Herbert
2019-08-22 17:18 ` Bowers, AndrewX
2019-08-19 22:44 ` [Intel-wired-lan] [PATCH v3 net-next 7/7] ip6tlvs: Validation of TX Destination and Hop-by-Hop options Tom Herbert
2019-08-22 17:19 ` Bowers, AndrewX [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47586f3eabf94339b5b74160cc5c7ee8@intel.com \
--to=andrewx.bowers@intel.com \
--cc=intel-wired-lan@osuosl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox