From: David Miller <davem@davemloft.net>
To: lucien.xin@gmail.com
Cc: netdev@vger.kernel.org, edumazet@google.com,
marcelo.leitner@gmail.com, sd@queasysnail.net
Subject: Re: [PATCH net 0/2] net: diag: fix a potential security issue
Date: Sat, 21 Oct 2017 12:14:10 +0100 (WEST) [thread overview]
Message-ID: <20171021.121410.701233686946304734.davem@davemloft.net> (raw)
In-Reply-To: <CADvbK_fWmmC3ggpoT--Pxk3GxZ8Gq_rbdFGTuXk-BuTHTO=eXw@mail.gmail.com>
From: Xin Long <lucien.xin@gmail.com>
Date: Sat, 21 Oct 2017 14:06:27 +0800
> Imagine a customer generates a sosreport on their system, and
> with that, it loads sctp module. From then on, if their firewall
> doesn't block incoming packets for sctp, they may be prone to some
> remotely triggerable issue on sctp code, without even actually using
> sctp.
Like I said, if the protocol is so unsafe, block it in the
modules.conf file.
Block all "I don't use this" protocols in netfilter.
Otherwise, like I said, any user on their system can open a socket of
the indicated protocol.
There are many options.
Furthermore, "ss" should not signal an error because the protocol
module happens to not be open yet and as I understand it this is what
your patch does since it chooses to not load the module in this
situation.
prev parent reply other threads:[~2017-10-21 11:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 7:32 [PATCH net 0/2] net: diag: fix a potential security issue Xin Long
2017-10-19 7:32 ` [PATCH net 1/2] sock_diag: request _diag module only when the family has been registered Xin Long
2017-10-19 7:32 ` [PATCH net 2/2] inet_diag: request _diag module only when the proto " Xin Long
2017-10-21 1:27 ` [PATCH net 0/2] net: diag: fix a potential security issue David Miller
[not found] ` <CADvbK_fWmmC3ggpoT--Pxk3GxZ8Gq_rbdFGTuXk-BuTHTO=eXw@mail.gmail.com>
2017-10-21 6:18 ` Eric Dumazet
2017-10-21 6:51 ` Xin Long
2017-10-21 7:45 ` Eric Dumazet
2017-10-21 8:45 ` Xin Long
2017-10-21 9:45 ` Xin Long
2017-10-21 11:16 ` David Miller
2017-10-21 11:14 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171021.121410.701233686946304734.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).