From: Ben Hutchings <ben@decadent.org.uk>
To: Jon Maloy <jon.maloy@ericsson.com>, Ying Xue <ying.xue0@gmail.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Qian Zhang <zhangqian-c@360.cn>,
Eric Dumazet <edumazet@google.com>
Subject: Re: [PATCH net] tipc: Guard against tiny MTU in tipc_msg_build()
Date: Fri, 21 Oct 2016 16:00:05 +0100 [thread overview]
Message-ID: <1477062005.2670.5.camel@decadent.org.uk> (raw)
In-Reply-To: <A2BAEFC30C8FD34388F02C9B3121859D22588579@eusaamb103.ericsson.se>
[-- Attachment #1: Type: text/plain, Size: 2046 bytes --]
On Fri, 2016-10-21 at 14:57 +0000, Jon Maloy wrote:
> > -----Original Message-----
> > > > From: Ben Hutchings [mailto:ben@decadent.org.uk]
> > Sent: Thursday, 20 October, 2016 12:40
> > > > To: Jon Maloy <jon.maloy@ericsson.com>; Ying Xue <ying.xue0@gmail.com>
> > > > > > Cc: netdev@vger.kernel.org; Qian Zhang <zhangqian-c@360.cn>; Eric Dumazet
> > > > <edumazet@google.com>
> > Subject: Re: [PATCH net] tipc: Guard against tiny MTU in tipc_msg_build()
> >
> > On Thu, 2016-10-20 at 14:51 +0000, Jon Maloy wrote:
> > [...]
> > > > At this point we're about to copy INT_H_SIZE + mhsz bytes into the
> > > > first fragment. If that's already limited to be less than or equal to
> > > > MAX_H_SIZE, comparing with MAX_H_SIZE would be fine. But if
> >
> > MAX_H_SIZE
> > > > is the maximum value of mhsz, that won't be good enough.
> > >
> > >
> > >
> > > MAX_H_SIZE is 60 bytes, but in practice you will never see an mhsz larger than
> >
> > the biggest header we are actually using, which is MCAST_H_SIZE (==44 bytes).
> > > INT_H_SIZE is 40 bytes, so you are in reality testing for whether we have an mtu
> >
> > < 84 bytes.
> > > You won't find any interfaces or protocols that come even close to this
> >
> > limitation, so to me this test is redundant.
> >
> > But I can easily create such an interface:
> >
> > $ unshare -n -U -r
> > # ip l set lo mtu 1
> >
> > Ben.
>
>
> It won't be very useful though. But I assume you mean it could be a
> possible exploit,
Exactly.
> and I suspect a few other things would break both in TIPC and in
> other stacks if you do anything like that. I think the solution to
> this is not to fix all possible places in the code where this can go
> wrong, but rather to have a generic test where we refuse to attach
> bearers/interfaces offering an mtu < e.g. 1000 bytes. This can easily
> be done in tipc_enable_l2_media().
Yes.
Ben.
--
Ben Hutchings
One of the nice things about standards is that there are so many of
them.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
next prev parent reply other threads:[~2016-10-21 15:00 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-19 2:16 [PATCH net] tipc: Guard against tiny MTU in tipc_msg_build() Ben Hutchings
2016-10-20 9:30 ` Ying Xue
2016-10-20 12:46 ` Ben Hutchings
2016-10-20 14:51 ` Jon Maloy
2016-10-20 16:40 ` Ben Hutchings
2016-10-21 14:57 ` Jon Maloy
2016-10-21 15:00 ` Ben Hutchings [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-11-01 6:35 张谦
2016-11-01 11:36 ` Jon Maloy
2016-11-04 7:23 张谦
2016-11-04 15:57 ` Jon Maloy
2016-11-04 17:45 ` 张谦
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1477062005.2670.5.camel@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=edumazet@google.com \
--cc=jon.maloy@ericsson.com \
--cc=netdev@vger.kernel.org \
--cc=ying.xue0@gmail.com \
--cc=zhangqian-c@360.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).