[PATCH] ipv6: fix the bug when propagating Redirect Message

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ipv6: fix the bug when propagating Redirect Message
@ 2012-10-23 15:26 Duan Jiong
  2012-10-24  4:54 ` Steffen Klassert
  0 siblings, 1 reply; 6+ messages in thread
From: Duan Jiong @ 2012-10-23 15:26 UTC (permalink / raw)
  To: davem; +Cc: netdev


Before using icmpv6_notify() to propagate redirect, change skb->data
to poing the IP packet that triggered the sending of the Redirect.

Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
---
 net/ipv6/ndisc.c |   39 +++++++++++++++++++++++++++++++++++++++
 1 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index ff36194..0f73303 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1334,6 +1334,11 @@ out:
 
 static void ndisc_redirect_rcv(struct sk_buff *skb)
 {
+	int opt_len;
+	int opt_offset;
+	int ndisc_head_len;
+	struct nd_opt_hdr *nd_opt;
+	
 #ifdef CONFIG_IPV6_NDISC_NODETYPE
 	switch (skb->ndisc_nodetype) {
 	case NDISC_NODETYPE_HOST:
@@ -1350,6 +1355,40 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
 		return;
 	}
 
+	ndisc_head_len = sizeof(struct icmp6hdr) + 2*sizeof(struct in6_addr);
+	if (!pskb_may_pull(skb, ndisc_head_len)) {
+		return;
+	}
+
+	nd_opt = (struct nd_opt_hdr *)(skb->data + ndisc_head_len);
+
+	opt_len = skb->tail - skb->transport_header - ndisc_head_len;
+	if (opt_len < 0) {
+		return;
+	}
+	while (opt_len) {
+		int l;
+	
+		if (opt_len < sizeof(struct nd_opt_hdr)) {
+			return;
+		}
+		l = nd_opt->nd_opt_len << 3;
+		if (opt_len < l || l == 0) {
+			return;
+		}
+		if (nd_opt->nd_opt_type == ND_OPT_REDIRECT_HDR) {
+			__skb_pull(skb, ndisc_head_len + opt_offset + 8);
+			break;
+		}
+		opt_len -= l;
+		nd_opt = ((void *)nd_opt) + 1;
+		opt_offset += 1;
+	}
+	
+	if (opt_len == 0) {
+		return;
+	}	
+
 	icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
 }
 
-- 
1.7.4.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] ipv6: fix the bug when propagating Redirect Message
  2012-10-23 15:26 [PATCH] ipv6: fix the bug when propagating Redirect Message Duan Jiong
@ 2012-10-24  4:54 ` Steffen Klassert
  2012-11-09  8:54   ` Steffen Klassert
  2012-12-11 12:58   ` Duan Jiong
  0 siblings, 2 replies; 6+ messages in thread
From: Steffen Klassert @ 2012-10-24  4:54 UTC (permalink / raw)
  To: Duan Jiong; +Cc: davem, netdev

On Tue, Oct 23, 2012 at 11:26:25PM +0800, Duan Jiong wrote:
> 
> Before using icmpv6_notify() to propagate redirect, change skb->data
> to poing the IP packet that triggered the sending of the Redirect.
> 
> Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
> ---
>  net/ipv6/ndisc.c |   39 +++++++++++++++++++++++++++++++++++++++
>  1 files changed, 39 insertions(+), 0 deletions(-)
> 
> diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
> index ff36194..0f73303 100644
> --- a/net/ipv6/ndisc.c
> +++ b/net/ipv6/ndisc.c
> @@ -1334,6 +1334,11 @@ out:
>  
>  static void ndisc_redirect_rcv(struct sk_buff *skb)
>  {
> +	int opt_len;
> +	int opt_offset;
> +	int ndisc_head_len;
> +	struct nd_opt_hdr *nd_opt;
> +	
>  #ifdef CONFIG_IPV6_NDISC_NODETYPE
>  	switch (skb->ndisc_nodetype) {
>  	case NDISC_NODETYPE_HOST:
> @@ -1350,6 +1355,40 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
>  		return;
>  	}
>  
> +	ndisc_head_len = sizeof(struct icmp6hdr) + 2*sizeof(struct in6_addr);
> +	if (!pskb_may_pull(skb, ndisc_head_len)) {
> +		return;
> +	}
> +
> +	nd_opt = (struct nd_opt_hdr *)(skb->data + ndisc_head_len);
> +
> +	opt_len = skb->tail - skb->transport_header - ndisc_head_len;
> +	if (opt_len < 0) {
> +		return;
> +	}
> +	while (opt_len) {
> +		int l;
> +	
> +		if (opt_len < sizeof(struct nd_opt_hdr)) {
> +			return;
> +		}
> +		l = nd_opt->nd_opt_len << 3;
> +		if (opt_len < l || l == 0) {
> +			return;
> +		}
> +		if (nd_opt->nd_opt_type == ND_OPT_REDIRECT_HDR) {
> +			__skb_pull(skb, ndisc_head_len + opt_offset + 8);
> +			break;
> +		}
> +		opt_len -= l;
> +		nd_opt = ((void *)nd_opt) + 1;
> +		opt_offset += 1;
> +	}

Instead of the above loop, you could use ndisc_parse_options().
This does the same what you are doing here and it would make it
a bit clearer what's going on.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ipv6: fix the bug when propagating Redirect Message
  2012-10-24  4:54 ` Steffen Klassert
@ 2012-11-09  8:54   ` Steffen Klassert
  2012-12-11 12:58   ` Duan Jiong
  1 sibling, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2012-11-09  8:54 UTC (permalink / raw)
  To: Duan Jiong; +Cc: davem, netdev

On Wed, Oct 24, 2012 at 06:54:10AM +0200, Steffen Klassert wrote:
> On Tue, Oct 23, 2012 at 11:26:25PM +0800, Duan Jiong wrote:
> > +	while (opt_len) {
> > +		int l;
> > +	
> > +		if (opt_len < sizeof(struct nd_opt_hdr)) {
> > +			return;
> > +		}
> > +		l = nd_opt->nd_opt_len << 3;
> > +		if (opt_len < l || l == 0) {
> > +			return;
> > +		}
> > +		if (nd_opt->nd_opt_type == ND_OPT_REDIRECT_HDR) {
> > +			__skb_pull(skb, ndisc_head_len + opt_offset + 8);
> > +			break;
> > +		}
> > +		opt_len -= l;
> > +		nd_opt = ((void *)nd_opt) + 1;
> > +		opt_offset += 1;
> > +	}
> 
> Instead of the above loop, you could use ndisc_parse_options().
> This does the same what you are doing here and it would make it
> a bit clearer what's going on.
> 

Duan, are you going to update your patches? We really need fixes
for the problems you have discovered.

Thanks!

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ipv6: fix the bug when propagating Redirect Message
  2012-10-24  4:54 ` Steffen Klassert
  2012-11-09  8:54   ` Steffen Klassert
@ 2012-12-11 12:58   ` Duan Jiong
  2012-12-11 13:45     ` Steffen Klassert
  1 sibling, 1 reply; 6+ messages in thread
From: Duan Jiong @ 2012-12-11 12:58 UTC (permalink / raw)
  To: Steffen Klassert; +Cc: davem, netdev

于 2012/10/24 12:54, Steffen Klassert 写道:
> On Tue, Oct 23, 2012 at 11:26:25PM +0800, Duan Jiong wrote:
>>
>> Before using icmpv6_notify() to propagate redirect, change skb->data
>> to poing the IP packet that triggered the sending of the Redirect.
>>
>> Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
>> ---
>>  net/ipv6/ndisc.c |   39 +++++++++++++++++++++++++++++++++++++++
>>  1 files changed, 39 insertions(+), 0 deletions(-)
>>
>> diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
>> index ff36194..0f73303 100644
>> --- a/net/ipv6/ndisc.c
>> +++ b/net/ipv6/ndisc.c
>> @@ -1334,6 +1334,11 @@ out:
>>  
>>  static void ndisc_redirect_rcv(struct sk_buff *skb)
>>  {
>> +	int opt_len;
>> +	int opt_offset;
>> +	int ndisc_head_len;
>> +	struct nd_opt_hdr *nd_opt;
>> +	
>>  #ifdef CONFIG_IPV6_NDISC_NODETYPE
>>  	switch (skb->ndisc_nodetype) {
>>  	case NDISC_NODETYPE_HOST:
>> @@ -1350,6 +1355,40 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
>>  		return;
>>  	}
>>  
>> +	ndisc_head_len = sizeof(struct icmp6hdr) + 2*sizeof(struct in6_addr);
>> +	if (!pskb_may_pull(skb, ndisc_head_len)) {
>> +		return;
>> +	}
>> +
>> +	nd_opt = (struct nd_opt_hdr *)(skb->data + ndisc_head_len);
>> +
>> +	opt_len = skb->tail - skb->transport_header - ndisc_head_len;
>> +	if (opt_len < 0) {
>> +		return;
>> +	}
>> +	while (opt_len) {
>> +		int l;
>> +	
>> +		if (opt_len < sizeof(struct nd_opt_hdr)) {
>> +			return;
>> +		}
>> +		l = nd_opt->nd_opt_len << 3;
>> +		if (opt_len < l || l == 0) {
>> +			return;
>> +		}
>> +		if (nd_opt->nd_opt_type == ND_OPT_REDIRECT_HDR) {
>> +			__skb_pull(skb, ndisc_head_len + opt_offset + 8);
>> +			break;
>> +		}
>> +		opt_len -= l;
>> +		nd_opt = ((void *)nd_opt) + 1;
>> +		opt_offset += 1;
>> +	}
> 
> Instead of the above loop, you could use ndisc_parse_options().
> This does the same what you are doing here and it would make it
> a bit clearer what's going on.
> 
I apologize for not replying to you earlier,and i will continue 
to update my patches. 

Just like you said, i try to use ndisc_parse_options() to instead
of the loop, but i find the skb->data can't be changed in function
ndisc_parse_options() due to lack of  arguments. So i think it is
better to continue to use the loop. How do you think this?

Thanks!

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ipv6: fix the bug when propagating Redirect Message
  2012-12-11 12:58   ` Duan Jiong
@ 2012-12-11 13:45     ` Steffen Klassert
  2012-12-12 11:09       ` Duan Jiong
  0 siblings, 1 reply; 6+ messages in thread
From: Steffen Klassert @ 2012-12-11 13:45 UTC (permalink / raw)
  To: Duan Jiong; +Cc: davem, netdev

On Tue, Dec 11, 2012 at 08:58:20PM +0800, Duan Jiong wrote:
> 
> Just like you said, i try to use ndisc_parse_options() to instead
> of the loop, but i find the skb->data can't be changed in function
> ndisc_parse_options() due to lack of  arguments. So i think it is
> better to continue to use the loop. How do you think this?
> 

You can change the data pointer after ndisc_parse_options().
Something like the (untested) patch below should do it.

 include/net/ndisc.h |    7 +++++++
 net/ipv6/ndisc.c    |   20 ++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/include/net/ndisc.h b/include/net/ndisc.h
index 980d263..c17bccd 100644
--- a/include/net/ndisc.h
+++ b/include/net/ndisc.h
@@ -78,6 +78,13 @@ struct ra_msg {
 	__be32			retrans_timer;
 };
 
+struct rd_msg {
+        struct icmp6hdr	icmph;
+        struct in6_addr	target;
+        struct in6_addr	dest;
+	__u8		opt[0];
+};
+
 struct nd_opt_hdr {
 	__u8		nd_opt_type;
 	__u8		nd_opt_len;
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 2edce30..9afd23f 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1333,6 +1333,12 @@ out:
 
 static void ndisc_redirect_rcv(struct sk_buff *skb)
 {
+	u8 *hdr;
+	struct ndisc_options ndopts;
+	struct rd_msg *msg = (struct rd_msg *) skb_transport_header(skb);
+	u32 ndoptlen = skb->tail - (skb->transport_header +
+				    offsetof(struct rd_msg, opt));
+
 #ifdef CONFIG_IPV6_NDISC_NODETYPE
 	switch (skb->ndisc_nodetype) {
 	case NDISC_NODETYPE_HOST:
@@ -1349,6 +1355,20 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
 		return;
 	}
 
+	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
+		ND_PRINTK(2, warn, "Redirect: invalid ND options\n");
+		return;
+	}
+
+	if (!ndopts.nd_opts_rh)
+		return;
+
+	hdr = (u8 *) ndopts.nd_opts_rh;
+	hdr += 8;
+
+	if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
+		return;
+
 	icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
 }
 
-- 
1.7.9.5

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] ipv6: fix the bug when propagating Redirect Message
  2012-12-11 13:45     ` Steffen Klassert
@ 2012-12-12 11:09       ` Duan Jiong
  0 siblings, 0 replies; 6+ messages in thread
From: Duan Jiong @ 2012-12-12 11:09 UTC (permalink / raw)
  To: Steffen Klassert; +Cc: davem, netdev

于 2012/12/11 21:45, Steffen Klassert 写道:
> On Tue, Dec 11, 2012 at 08:58:20PM +0800, Duan Jiong wrote:
>>
>> Just like you said, i try to use ndisc_parse_options() to instead
>> of the loop, but i find the skb->data can't be changed in function
>> ndisc_parse_options() due to lack of  arguments. So i think it is
>> better to continue to use the loop. How do you think this?
>>
> 
> You can change the data pointer after ndisc_parse_options().
> Something like the (untested) patch below should do it.
> 
>  include/net/ndisc.h |    7 +++++++
>  net/ipv6/ndisc.c    |   20 ++++++++++++++++++++
>  2 files changed, 27 insertions(+)
> 
> diff --git a/include/net/ndisc.h b/include/net/ndisc.h
> index 980d263..c17bccd 100644
> --- a/include/net/ndisc.h
> +++ b/include/net/ndisc.h
> @@ -78,6 +78,13 @@ struct ra_msg {
>  	__be32			retrans_timer;
>  };
>  
> +struct rd_msg {
> +        struct icmp6hdr	icmph;
> +        struct in6_addr	target;
> +        struct in6_addr	dest;
> +	__u8		opt[0];
> +};
> +
>  struct nd_opt_hdr {
>  	__u8		nd_opt_type;
>  	__u8		nd_opt_len;
> diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
> index 2edce30..9afd23f 100644
> --- a/net/ipv6/ndisc.c
> +++ b/net/ipv6/ndisc.c
> @@ -1333,6 +1333,12 @@ out:
>  
>  static void ndisc_redirect_rcv(struct sk_buff *skb)
>  {
> +	u8 *hdr;
> +	struct ndisc_options ndopts;
> +	struct rd_msg *msg = (struct rd_msg *) skb_transport_header(skb);
> +	u32 ndoptlen = skb->tail - (skb->transport_header +
> +				    offsetof(struct rd_msg, opt));
> +
>  #ifdef CONFIG_IPV6_NDISC_NODETYPE
>  	switch (skb->ndisc_nodetype) {
>  	case NDISC_NODETYPE_HOST:
> @@ -1349,6 +1355,20 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
>  		return;
>  	}
>  
> +	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
> +		ND_PRINTK(2, warn, "Redirect: invalid ND options\n");
> +		return;
> +	}
> +
> +	if (!ndopts.nd_opts_rh)
> +		return;
> +
> +	hdr = (u8 *) ndopts.nd_opts_rh;
> +	hdr += 8;
> +
> +	if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
> +		return;
> +
>  	icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
>  }
>  
> 
Thanks for you help. I will test it.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2012-12-12 11:09 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-23 15:26 [PATCH] ipv6: fix the bug when propagating Redirect Message Duan Jiong
2012-10-24  4:54 ` Steffen Klassert
2012-11-09  8:54   ` Steffen Klassert
2012-12-11 12:58   ` Duan Jiong
2012-12-11 13:45     ` Steffen Klassert
2012-12-12 11:09       ` Duan Jiong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).