[PATCH] bridge: multicast: add sanity check for query source addresses

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] bridge: multicast: add sanity check for query source addresses
@ 2014-03-04  2:57 Linus Lüssing
  2014-03-04  9:06 ` Hannes Frederic Sowa
  2014-03-06  1:46 ` David Miller
  0 siblings, 2 replies; 5+ messages in thread
From: Linus Lüssing @ 2014-03-04  2:57 UTC (permalink / raw)
  To: netdev
  Cc: Florian Westphal, bridge, linux-kernel, David S. Miller,
	Stephen Hemminger, Linus Lüssing, Jan Stancek

MLD queries are supposed to have an IPv6 link-local source address
according to RFC2710, section 4 and RFC3810, section 5.1.14. This patch
adds a sanity check to ignore such broken MLD queries.

Without this check, such malformed MLD queries can result in a
denial of service: The queries are ignored by any MLD listener
therefore they will not respond with an MLD report. However,
without this patch these malformed MLD queries would enable the
snooping part in the bridge code, potentially shutting down the
according ports towards these hosts for multicast traffic as the
bridge did not learn about these listeners.

Reported-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Linus Lüssing <linus.luessing@web.de>
---
 net/bridge/br_multicast.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index ef66365..fb0e36f 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1235,6 +1235,12 @@ static int br_ip6_multicast_query(struct net_bridge *br,
 	    (port && port->state == BR_STATE_DISABLED))
 		goto out;

+	/* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */
+	if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	if (skb->len == sizeof(*mld)) {
 		if (!pskb_may_pull(skb, sizeof(*mld))) {
 			err = -EINVAL;
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] bridge: multicast: add sanity check for query source addresses
  2014-03-04  2:57 [PATCH] bridge: multicast: add sanity check for query source addresses Linus Lüssing
@ 2014-03-04  9:06 ` Hannes Frederic Sowa
  2014-03-04 10:43   ` Linus Lüssing
  2014-03-06  1:46 ` David Miller
  1 sibling, 1 reply; 5+ messages in thread
From: Hannes Frederic Sowa @ 2014-03-04  9:06 UTC (permalink / raw)
  To: Linus Lüssing
  Cc: netdev, bridge, Stephen Hemminger, David S. Miller, linux-kernel,
	Jan Stancek, Florian Westphal

On Tue, Mar 04, 2014 at 03:57:35AM +0100, Linus Lüssing wrote:
> MLD queries are supposed to have an IPv6 link-local source address
> according to RFC2710, section 4 and RFC3810, section 5.1.14. This patch
> adds a sanity check to ignore such broken MLD queries.
> 
> Without this check, such malformed MLD queries can result in a
> denial of service: The queries are ignored by any MLD listener
> therefore they will not respond with an MLD report. However,
> without this patch these malformed MLD queries would enable the
> snooping part in the bridge code, potentially shutting down the
> according ports towards these hosts for multicast traffic as the
> bridge did not learn about these listeners.
> 
> Reported-by: Jan Stancek <jstancek@redhat.com>
> Signed-off-by: Linus Lüssing <linus.luessing@web.de>
> ---
>  net/bridge/br_multicast.c |    6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
> index ef66365..fb0e36f 100644
> --- a/net/bridge/br_multicast.c
> +++ b/net/bridge/br_multicast.c
> @@ -1235,6 +1235,12 @@ static int br_ip6_multicast_query(struct net_bridge *br,
>  	    (port && port->state == BR_STATE_DISABLED))
>  		goto out;
>  
> +	/* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */
> +	if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) {
> +		err = -EINVAL;
> +		goto out;
> +	}
> +

Shouldn't we allow empty source address, here?

Routers are supposed to drop them but bridges care. Linux uses ::
as source address as long as no valid LL addresses are available,
e.g. at boot-up (RFC3810 5.2.13.).

Greetings,

  Hannes

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] bridge: multicast: add sanity check for query source addresses
  2014-03-04  9:06 ` Hannes Frederic Sowa
@ 2014-03-04 10:43   ` Linus Lüssing
  2014-03-04 20:00     ` Hannes Frederic Sowa
  0 siblings, 1 reply; 5+ messages in thread
From: Linus Lüssing @ 2014-03-04 10:43 UTC (permalink / raw)
  To: Hannes Frederic Sowa
  Cc: netdev, Florian Westphal, bridge, linux-kernel, David S. Miller,
	Stephen Hemminger, Jan Stancek

[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]

On Tue, Mar 04, 2014 at 10:06:14AM +0100, Hannes Frederic Sowa wrote:
> > diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
> > index ef66365..fb0e36f 100644
> > --- a/net/bridge/br_multicast.c
> > +++ b/net/bridge/br_multicast.c
> > @@ -1235,6 +1235,12 @@ static int br_ip6_multicast_query(struct net_bridge *br,
> >  	    (port && port->state == BR_STATE_DISABLED))
> >  		goto out;
> >  
> > +	/* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */
> > +	if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) {
> > +		err = -EINVAL;
> > +		goto out;
> > +	}
> > +
> 
> Shouldn't we allow empty source address, here?
> 
> Routers are supposed to drop them but bridges care. Linux uses ::
> as source address as long as no valid LL addresses are available,
> e.g. at boot-up (RFC3810 5.2.13.).

RFC3810, 5.2.13. refers to MLD reports, not queries, so that
shouldn't be relevant, section 5.1.14 should apply. Also the
bridge code only issues queries with a valid link-local source
address (see br_ip6_multicast_alloc_query() in
net/bridge/br_multicast.c). Where does Linux use :: for queries?

Cheers, Linus

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] bridge: multicast: add sanity check for query source addresses
  2014-03-04 10:43   ` Linus Lüssing
@ 2014-03-04 20:00     ` Hannes Frederic Sowa
  0 siblings, 0 replies; 5+ messages in thread
From: Hannes Frederic Sowa @ 2014-03-04 20:00 UTC (permalink / raw)
  To: Linus Lüssing
  Cc: netdev, Florian Westphal, bridge, linux-kernel, David S. Miller,
	Stephen Hemminger, Jan Stancek

On Tue, Mar 04, 2014 at 11:43:55AM +0100, Linus Lüssing wrote:
> On Tue, Mar 04, 2014 at 10:06:14AM +0100, Hannes Frederic Sowa wrote:
> > > diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
> > > index ef66365..fb0e36f 100644
> > > --- a/net/bridge/br_multicast.c
> > > +++ b/net/bridge/br_multicast.c
> > > @@ -1235,6 +1235,12 @@ static int br_ip6_multicast_query(struct net_bridge *br,
> > >  	    (port && port->state == BR_STATE_DISABLED))
> > >  		goto out;
> > >  
> > > +	/* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */
> > > +	if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) {
> > > +		err = -EINVAL;
> > > +		goto out;
> > > +	}
> > > +
> > 
> > Shouldn't we allow empty source address, here?
> > 
> > Routers are supposed to drop them but bridges care. Linux uses ::
> > as source address as long as no valid LL addresses are available,
> > e.g. at boot-up (RFC3810 5.2.13.).
> 
> RFC3810, 5.2.13. refers to MLD reports, not queries, so that
> shouldn't be relevant, section 5.1.14 should apply. Also the
> bridge code only issues queries with a valid link-local source
> address (see br_ip6_multicast_alloc_query() in
> net/bridge/br_multicast.c). Where does Linux use :: for queries?

Sorry, I confused queries with reports.
Your patch looks good, same check as in igmp6_event_query.

Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

Bye,

  Hannes

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] bridge: multicast: add sanity check for query source addresses
  2014-03-04  2:57 [PATCH] bridge: multicast: add sanity check for query source addresses Linus Lüssing
  2014-03-04  9:06 ` Hannes Frederic Sowa
@ 2014-03-06  1:46 ` David Miller
  1 sibling, 0 replies; 5+ messages in thread
From: David Miller @ 2014-03-06  1:46 UTC (permalink / raw)
  To: linus.luessing; +Cc: netdev, fwestpha, bridge, linux-kernel, stephen, jstancek

From: Linus Lüssing <linus.luessing@web.de>
Date: Tue,  4 Mar 2014 03:57:35 +0100

> MLD queries are supposed to have an IPv6 link-local source address
> according to RFC2710, section 4 and RFC3810, section 5.1.14. This patch
> adds a sanity check to ignore such broken MLD queries.
> 
> Without this check, such malformed MLD queries can result in a
> denial of service: The queries are ignored by any MLD listener
> therefore they will not respond with an MLD report. However,
> without this patch these malformed MLD queries would enable the
> snooping part in the bridge code, potentially shutting down the
> according ports towards these hosts for multicast traffic as the
> bridge did not learn about these listeners.
> 
> Reported-by: Jan Stancek <jstancek@redhat.com>
> Signed-off-by: Linus Lüssing <linus.luessing@web.de>

Applied.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2014-03-06  1:46 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-04  2:57 [PATCH] bridge: multicast: add sanity check for query source addresses Linus Lüssing
2014-03-04  9:06 ` Hannes Frederic Sowa
2014-03-04 10:43   ` Linus Lüssing
2014-03-04 20:00     ` Hannes Frederic Sowa
2014-03-06  1:46 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).