[PATCH 0/2] GTP tunneling fixes for net

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] GTP tunneling fixes for net
@ 2016-12-15 21:35 Pablo Neira Ayuso
  2016-12-15 21:35 ` [PATCH 1/2] gtp: gtp_check_src_ms_ipv4() always return success Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-12-15 21:35 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, laforge

Hi David,

The following patchset contains two GTP tunneling fixes for your net
tree, they are:

1) Offset to IPv4 header in gtp_check_src_ms_ipv4() is incorrect, thus
   this function always succeeds and therefore this defeats this sanity
   check. This allows packets that have no PDP to go though, patch from
   Lionel Gauthier.

2) According to Note 0 of Figure 2 in Section 6 of 3GPP TS 29.060 v13.5.0
   Release 13, always set GTPv1 reserved bit to zero. This may cause
   interoperability problems, patch from Harald Welte.

Please, apply, thanks a lot!

Harald Welte (1):
  gtp: Fix initialization of Flags octet in GTPv1 header

Lionel Gauthier (1):
  gtp: gtp_check_src_ms_ipv4() always return success

 drivers/net/gtp.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

-- 
2.1.4

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] gtp: gtp_check_src_ms_ipv4() always return success
  2016-12-15 21:35 [PATCH 0/2] GTP tunneling fixes for net Pablo Neira Ayuso
@ 2016-12-15 21:35 ` Pablo Neira Ayuso
  2016-12-15 21:35 ` [PATCH 2/2] gtp: Fix initialization of Flags octet in GTPv1 header Pablo Neira Ayuso
  2016-12-17 17:01 ` [PATCH 0/2] GTP tunneling fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-12-15 21:35 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, laforge

From: Lionel Gauthier <Lionel.Gauthier@eurecom.fr>

gtp_check_src_ms_ipv4() did not find the PDP context matching with the
UE IP address because the memory location is not right, but the result
is inverted by the Boolean "not" operator.  So whatever is the PDP
context, any call to this function is successful.

Signed-off-by: Lionel Gauthier <Lionel.Gauthier@eurecom.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 drivers/net/gtp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index 98f10c216521..6031d499f2be 100644
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -158,9 +158,9 @@ static bool gtp_check_src_ms_ipv4(struct sk_buff *skb, struct pdp_ctx *pctx,
 	if (!pskb_may_pull(skb, hdrlen + sizeof(struct iphdr)))
 		return false;
 
-	iph = (struct iphdr *)(skb->data + hdrlen + sizeof(struct iphdr));
+	iph = (struct iphdr *)(skb->data + hdrlen);
 
-	return iph->saddr != pctx->ms_addr_ip4.s_addr;
+	return iph->saddr == pctx->ms_addr_ip4.s_addr;
 }
 
 /* Check if the inner IP source address in this packet is assigned to any
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] gtp: Fix initialization of Flags octet in GTPv1 header
  2016-12-15 21:35 [PATCH 0/2] GTP tunneling fixes for net Pablo Neira Ayuso
  2016-12-15 21:35 ` [PATCH 1/2] gtp: gtp_check_src_ms_ipv4() always return success Pablo Neira Ayuso
@ 2016-12-15 21:35 ` Pablo Neira Ayuso
  2016-12-17 17:01 ` [PATCH 0/2] GTP tunneling fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-12-15 21:35 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, laforge

From: Harald Welte <laforge@gnumonks.org>

When generating a GTPv1 header in gtp1_push_header(), initialize the
'reserved' bit to zero.  All 3GPP specifications for GTPv1 from Release
99 through Release 13 agree that a transmitter shall set this bit to
zero, see e.g. Note 0 of Figure 2 in Section 6 of 3GPP TS 29.060 v13.5.0
Release 13, available from
http://www.etsi.org/deliver/etsi_ts/129000_129099/129060/13.05.00_60/ts_129060v130500p.pdf

Signed-off-by: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 drivers/net/gtp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index 6031d499f2be..8b6810bad54b 100644
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -423,11 +423,11 @@ static inline void gtp1_push_header(struct sk_buff *skb, struct pdp_ctx *pctx)
 
 	/* Bits    8  7  6  5  4  3  2	1
 	 *	  +--+--+--+--+--+--+--+--+
-	 *	  |version |PT| 1| E| S|PN|
+	 *	  |version |PT| 0| E| S|PN|
 	 *	  +--+--+--+--+--+--+--+--+
 	 *	    0  0  1  1	1  0  0  0
 	 */
-	gtp1->flags	= 0x38; /* v1, GTP-non-prime. */
+	gtp1->flags	= 0x30; /* v1, GTP-non-prime. */
 	gtp1->type	= GTP_TPDU;
 	gtp1->length	= htons(payload_len);
 	gtp1->tid	= htonl(pctx->u.v1.o_tei);
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] GTP tunneling fixes for net
  2016-12-15 21:35 [PATCH 0/2] GTP tunneling fixes for net Pablo Neira Ayuso
  2016-12-15 21:35 ` [PATCH 1/2] gtp: gtp_check_src_ms_ipv4() always return success Pablo Neira Ayuso
  2016-12-15 21:35 ` [PATCH 2/2] gtp: Fix initialization of Flags octet in GTPv1 header Pablo Neira Ayuso
@ 2016-12-17 17:01 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2016-12-17 17:01 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev, laforge

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 15 Dec 2016 22:35:51 +0100

> The following patchset contains two GTP tunneling fixes for your net
> tree, they are:
> 
> 1) Offset to IPv4 header in gtp_check_src_ms_ipv4() is incorrect, thus
>    this function always succeeds and therefore this defeats this sanity
>    check. This allows packets that have no PDP to go though, patch from
>    Lionel Gauthier.
> 
> 2) According to Note 0 of Figure 2 in Section 6 of 3GPP TS 29.060 v13.5.0
>    Release 13, always set GTPv1 reserved bit to zero. This may cause
>    interoperability problems, patch from Harald Welte.
> 
> Please, apply, thanks a lot!

Series applied, thanks Pablo.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-12-17 17:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-15 21:35 [PATCH 0/2] GTP tunneling fixes for net Pablo Neira Ayuso
2016-12-15 21:35 ` [PATCH 1/2] gtp: gtp_check_src_ms_ipv4() always return success Pablo Neira Ayuso
2016-12-15 21:35 ` [PATCH 2/2] gtp: Fix initialization of Flags octet in GTPv1 header Pablo Neira Ayuso
2016-12-17 17:01 ` [PATCH 0/2] GTP tunneling fixes for net David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).