* [PATCH v2 net] ipv6: Fix MLD Query message check
@ 2014-06-25 1:31 Hangbin Liu
2014-06-27 0:33 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Hangbin Liu @ 2014-06-25 1:31 UTC (permalink / raw)
To: David Miller; +Cc: network dev, Hangbin Liu
Based on RFC3810 6.2, we also need to check the hop limit and router alert
option besides source address.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
net/ipv6/mcast.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 08b367c..fe27a77 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1301,8 +1301,18 @@ int igmp6_event_query(struct sk_buff *skb)
len = ntohs(ipv6_hdr(skb)->payload_len) + sizeof(struct ipv6hdr);
len -= skb_network_header_len(skb);
- /* Drop queries with not link local source */
- if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL))
+ /* RFC3810 6.2
+ * Upon reception of an MLD message that contains a Query, the node
+ * checks if the source address of the message is a valid link-local
+ * address, if the Hop Limit is set to 1, and if the Router Alert
+ * option is present in the Hop-By-Hop Options header of the IPv6
+ * packet. If any of these checks fails, the packet is dropped.
+ */
+ if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL) ||
+ ipv6_hdr(skb)->hop_limit != 1 ||
+ ipv6_hdr(skb)->nexthdr != NEXTHDR_HOP ||
+ !(IP6CB(skb)->flags & IP6SKB_ROUTERALERT) ||
+ IP6CB(skb)->ra != htons(IPV6_OPT_ROUTERALERT_MLD))
return -EINVAL;
idev = __in6_dev_get(skb->dev);
--
1.8.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2 net] ipv6: Fix MLD Query message check
2014-06-25 1:31 [PATCH v2 net] ipv6: Fix MLD Query message check Hangbin Liu
@ 2014-06-27 0:33 ` David Miller
2014-06-27 1:56 ` Hangbin Liu
0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2014-06-27 0:33 UTC (permalink / raw)
To: liuhangbin; +Cc: netdev
From: Hangbin Liu <liuhangbin@gmail.com>
Date: Wed, 25 Jun 2014 09:31:07 +0800
> @@ -1301,8 +1301,18 @@ int igmp6_event_query(struct sk_buff *skb)
> len = ntohs(ipv6_hdr(skb)->payload_len) + sizeof(struct ipv6hdr);
> len -= skb_network_header_len(skb);
>
> - /* Drop queries with not link local source */
> - if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL))
> + /* RFC3810 6.2
> + * Upon reception of an MLD message that contains a Query, the node
> + * checks if the source address of the message is a valid link-local
> + * address, if the Hop Limit is set to 1, and if the Router Alert
> + * option is present in the Hop-By-Hop Options header of the IPv6
> + * packet. If any of these checks fails, the packet is dropped.
> + */
> + if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL) ||
> + ipv6_hdr(skb)->hop_limit != 1 ||
> + ipv6_hdr(skb)->nexthdr != NEXTHDR_HOP ||
> + !(IP6CB(skb)->flags & IP6SKB_ROUTERALERT) ||
> + IP6CB(skb)->ra != htons(IPV6_OPT_ROUTERALERT_MLD))
> return -EINVAL;
>
Does the NEXTHDR_HOP have the be exactly the next extension header
present? I think you need to allow for more flexibility here.
In any event, the only way the IP6SKB_ROUTERALERT bit can be set
is if there were hop-by-hop options present, so testing only the
bit itself is sufficient.
The forwarding path simplifies the check in this way too.
So please adjust this to only check the bit and remove the NEXTHDR_HOP
test.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2 net] ipv6: Fix MLD Query message check
2014-06-27 0:33 ` David Miller
@ 2014-06-27 1:56 ` Hangbin Liu
0 siblings, 0 replies; 3+ messages in thread
From: Hangbin Liu @ 2014-06-27 1:56 UTC (permalink / raw)
To: David Miller; +Cc: network dev
2014-06-27 8:33 GMT+08:00 David Miller <davem@davemloft.net>:
> From: Hangbin Liu <liuhangbin@gmail.com>
> Date: Wed, 25 Jun 2014 09:31:07 +0800
>
>> @@ -1301,8 +1301,18 @@ int igmp6_event_query(struct sk_buff *skb)
>> len = ntohs(ipv6_hdr(skb)->payload_len) + sizeof(struct ipv6hdr);
>> len -= skb_network_header_len(skb);
>>
>> - /* Drop queries with not link local source */
>> - if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL))
>> + /* RFC3810 6.2
>> + * Upon reception of an MLD message that contains a Query, the node
>> + * checks if the source address of the message is a valid link-local
>> + * address, if the Hop Limit is set to 1, and if the Router Alert
>> + * option is present in the Hop-By-Hop Options header of the IPv6
>> + * packet. If any of these checks fails, the packet is dropped.
>> + */
>> + if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL) ||
>> + ipv6_hdr(skb)->hop_limit != 1 ||
>> + ipv6_hdr(skb)->nexthdr != NEXTHDR_HOP ||
>> + !(IP6CB(skb)->flags & IP6SKB_ROUTERALERT) ||
>> + IP6CB(skb)->ra != htons(IPV6_OPT_ROUTERALERT_MLD))
>> return -EINVAL;
>>
>
> Does the NEXTHDR_HOP have the be exactly the next extension header
> present? I think you need to allow for more flexibility here.
>
> In any event, the only way the IP6SKB_ROUTERALERT bit can be set
> is if there were hop-by-hop options present, so testing only the
> bit itself is sufficient.
>
> The forwarding path simplifies the check in this way too.
>
> So please adjust this to only check the bit and remove the NEXTHDR_HOP
> test.
>
Thanks for this advise, will send a v3 patch
Best regards
Hangbin Liu
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-06-27 1:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-25 1:31 [PATCH v2 net] ipv6: Fix MLD Query message check Hangbin Liu
2014-06-27 0:33 ` David Miller
2014-06-27 1:56 ` Hangbin Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).