From: Tom Herbert <tom@herbertland.com>
To: <davem@davemloft.net>, <netdev@vger.kernel.org>
Cc: <kernel-team@fb.com>
Subject: [PATCH v3 net-next 2/7] flow_dissector: Limit processing of next encaps and extensions
Date: Tue, 18 Oct 2016 10:02:38 -0700 [thread overview]
Message-ID: <20161018170243.1369807-3-tom@herbertland.com> (raw)
In-Reply-To: <20161018170243.1369807-1-tom@herbertland.com>
Flow dissector does not limit the number of encapsulated packets or IPv6
header extensions that will be processed. This could easily be
suceptible to DOS attack-- for instance a 1500 byte packet could contain
75 IPIP headers.
This patch places limits on the number of encapsulations and IPv6 extension
headers that are processed in flow dissector
Signed-off-by: Tom Herbert <tom@herbertland.com>
---
net/core/flow_dissector.c | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 1a7b80f..919bd02 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -91,6 +91,22 @@ __be32 __skb_flow_get_ports(const struct sk_buff *skb, int thoff, u8 ip_proto,
}
EXPORT_SYMBOL(__skb_flow_get_ports);
+#define MAX_DISSECT_DEPTH 10
+#define MAX_DISSECT_EXT 10
+
+#define __DISSECT_AGAIN(_target, _depth, _limit) do { \
+ (_depth)++; \
+ if ((_depth) > (_limit)) \
+ goto out_good; \
+ else \
+ goto _target; \
+} while (0)
+
+#define DISSECT_AGAIN(target) \
+ __DISSECT_AGAIN(target, depth, MAX_DISSECT_DEPTH)
+#define DISSECT_AGAIN_EXT(target) \
+ __DISSECT_AGAIN(target, ext_cnt, MAX_DISSECT_EXT)
+
/**
* __skb_flow_dissect - extract the flow_keys struct and return it
* @skb: sk_buff to extract the flow from, can be NULL if the rest are specified
@@ -123,6 +139,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
bool skip_vlan = false;
u8 ip_proto = 0;
bool ret = false;
+ int depth = 0, ext_cnt = 0;
if (!data) {
data = skb->data;
@@ -262,7 +279,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
proto = vlan->h_vlan_encapsulated_proto;
nhoff += sizeof(*vlan);
if (skip_vlan)
- goto again;
+ DISSECT_AGAIN(again);
}
skip_vlan = true;
@@ -285,7 +302,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
}
}
- goto again;
+ DISSECT_AGAIN(again);
}
case htons(ETH_P_PPP_SES): {
struct {
@@ -299,9 +316,9 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
nhoff += PPPOE_SES_HLEN;
switch (proto) {
case htons(PPP_IP):
- goto ip;
+ DISSECT_AGAIN(ip);
case htons(PPP_IPV6):
- goto ipv6;
+ DISSECT_AGAIN(ipv6);
default:
goto out_bad;
}
@@ -472,7 +489,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP)
goto out_good;
- goto again;
+ DISSECT_AGAIN(again);
}
case NEXTHDR_HOP:
case NEXTHDR_ROUTING:
@@ -490,7 +507,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
ip_proto = opthdr[0];
nhoff += (opthdr[1] + 1) << 3;
- goto ip_proto_again;
+ DISSECT_AGAIN_EXT(ip_proto_again);
}
case NEXTHDR_FRAGMENT: {
struct frag_hdr _fh, *fh;
@@ -512,7 +529,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
if (!(fh->frag_off & htons(IP6_OFFSET))) {
key_control->flags |= FLOW_DIS_FIRST_FRAG;
if (flags & FLOW_DISSECTOR_F_PARSE_1ST_FRAG)
- goto ip_proto_again;
+ DISSECT_AGAIN_EXT(ip_proto_again);
}
goto out_good;
}
@@ -523,7 +540,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP)
goto out_good;
- goto ip;
+ DISSECT_AGAIN(ip);
case IPPROTO_IPV6:
proto = htons(ETH_P_IPV6);
@@ -531,10 +548,10 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
if (flags & FLOW_DISSECTOR_F_STOP_AT_ENCAP)
goto out_good;
- goto ipv6;
+ DISSECT_AGAIN(ipv6);
case IPPROTO_MPLS:
proto = htons(ETH_P_MPLS_UC);
- goto mpls;
+ DISSECT_AGAIN(mpls);
default:
break;
}
--
2.9.3
next prev parent reply other threads:[~2016-10-18 17:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-18 17:02 [PATCH v3 net-next 0/7] udp: Flow dissection for tunnels Tom Herbert
2016-10-18 17:02 ` [PATCH v3 net-next 1/7] ipv6: Fix Makefile conditional to use CONFIG_INET Tom Herbert
2016-10-18 17:02 ` Tom Herbert [this message]
2016-10-18 17:02 ` [PATCH v3 net-next 3/7] udp: Add socket lookup functions with noref Tom Herbert
2016-10-18 17:02 ` [PATCH v3 net-next 4/7] udp: UDP flow dissector Tom Herbert
2016-10-18 17:02 ` [PATCH v3 net-next 5/7] udp: Add UDP flow dissection functions to IPv4 and IPv6 Tom Herbert
2016-10-18 17:02 ` [PATCH v3 net-next 6/7] udp: UDP tunnel flow dissection infrastructure Tom Herbert
2016-10-18 17:02 ` [PATCH v3 net-next 7/7] fou: Support flow dissection Tom Herbert
2016-10-18 18:03 ` [PATCH v3 net-next 0/7] udp: Flow dissection for tunnels David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161018170243.1369807-3-tom@herbertland.com \
--to=tom@herbertland.com \
--cc=davem@davemloft.net \
--cc=kernel-team@fb.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).