From: Tom Herbert <tom@herbertland.com>
To: davem@davemloft.net, netdev@vger.kernel.org, dlebrun@google.com,
ahabdels.dev@gmail.com
Cc: Tom Herbert <tom@quantonium.net>
Subject: [RFC PATCH 5/6] ah6: Be explicit about which routing types are processed.
Date: Fri, 31 May 2019 09:48:39 -0700 [thread overview]
Message-ID: <1559321320-9444-6-git-send-email-tom@quantonium.net> (raw)
In-Reply-To: <1559321320-9444-1-git-send-email-tom@quantonium.net>
The current code assumes that all routing headers can be processed
as type 0 when rearranging the routing header for AH verification.
Change this to be explicit. Type 0 and type 2 are supported and are
processed the same way with regards to AH.
Also check if rearranging routing header fails. Update reference
in comment to more current RFC.
Signed-off-by: Tom Herbert <tom@quantonium.net>
---
net/ipv6/ah6.c | 37 +++++++++++++++++++++++++++++--------
1 file changed, 29 insertions(+), 8 deletions(-)
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 1e80157..032491c 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -145,7 +145,7 @@ static bool zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr)
/**
* ipv6_rearrange_destopt - rearrange IPv6 destination options header
* @iph: IPv6 header
- * @destopt: destionation options header
+ * @destopt: destination options header
*/
static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt)
{
@@ -204,15 +204,16 @@ static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *des
#endif
/**
- * ipv6_rearrange_rthdr - rearrange IPv6 routing header
+ * ipv6_rearrange_type0_rthdr - rearrange type 0 IPv6 routing header
* @iph: IPv6 header
* @rthdr: routing header
*
* Rearrange the destination address in @iph and the addresses in @rthdr
* so that they appear in the order they will at the final destination.
- * See Appendix A2 of RFC 2402 for details.
+ * See Appendix A2 of RFC 4302 for details.
*/
-static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
+static bool ipv6_rearrange_type0_rthdr(struct ipv6hdr *iph,
+ struct ipv6_rt_hdr *rthdr)
{
int segments, segments_left;
struct in6_addr *addrs;
@@ -220,15 +221,13 @@ static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
segments_left = rthdr->segments_left;
if (segments_left == 0)
- return;
+ return true;
rthdr->segments_left = 0;
/* The value of rthdr->hdrlen has been verified either by the system
* call if it is locally generated, or by ipv6_rthdr_rcv() for incoming
* packets. So we can assume that it is even and that segments is
* greater than or equal to segments_left.
- *
- * For the same reason we can assume that this option is of type 0.
*/
segments = rthdr->hdrlen >> 1;
@@ -240,6 +239,24 @@ static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
addrs[0] = iph->daddr;
iph->daddr = final_addr;
+
+ return true;
+}
+
+static bool ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
+{
+ switch (rthdr->type) {
+ case IPV6_SRCRT_TYPE_2:
+ /* Simplified format of type 0 so same processing */
+ /* fallthrough */
+ case IPV6_SRCRT_TYPE_0: /* Deprecated */
+ return ipv6_rearrange_type0_rthdr(iph, rthdr);
+ default:
+ /* Bad or unidentified routing header, we don't know how
+ * to fix this header for security purposes. Return failure.
+ */
+ return false;
+ }
}
static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len, int dir)
@@ -271,7 +288,11 @@ static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len, int dir)
break;
case NEXTHDR_ROUTING:
- ipv6_rearrange_rthdr(iph, exthdr.rth);
+ if (!ipv6_rearrange_rthdr(iph, exthdr.rth)) {
+ net_dbg_ratelimited("bad routing header\n");
+ return -EINVAL;
+ }
+
break;
default:
--
2.7.4
next prev parent reply other threads:[~2019-05-31 16:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-31 16:48 [RFC PATCH 0/6] seg6: Segment routing fixes Tom Herbert
2019-05-31 16:48 ` [RFC PATCH 1/6] seg6: Fix TLV definitions Tom Herbert
2019-05-31 16:48 ` [RFC PATCH 2/6] seg6: Implement a TLV parsing loop Tom Herbert
2019-05-31 16:48 ` [RFC PATCH 3/6] seg6: Obsolete unused SRH flags Tom Herbert
2019-05-31 16:48 ` [RFC PATCH 4/6] ah6: Create function __zero_out_mutable_opts Tom Herbert
2019-05-31 16:48 ` Tom Herbert [this message]
2019-05-31 16:48 ` [RFC PATCH 6/6] seg6: Add support to rearrange SRH for AH ICV calculation Tom Herbert
2019-05-31 17:07 ` Ahmed Abdelsalam
2019-05-31 17:34 ` Tom Herbert
2019-06-02 9:54 ` Ahmed Abdelsalam
2019-06-02 15:48 ` Tom Herbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1559321320-9444-6-git-send-email-tom@quantonium.net \
--to=tom@herbertland.com \
--cc=ahabdels.dev@gmail.com \
--cc=davem@davemloft.net \
--cc=dlebrun@google.com \
--cc=netdev@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).