From: Stephen Hemminger <stephen@networkplumber.org>
To: Ttttabcd <ttttabcd@protonmail.com>
Cc: Netdev <netdev@vger.kernel.org>,
David Miller <davem@davemloft.net>,
"kuznet@ms2.inr.ac.ru" <kuznet@ms2.inr.ac.ru>,
"yoshfuji@linux-ipv6.org" <yoshfuji@linux-ipv6.org>
Subject: Re: [PATCH] fragment: Improved handling of incorrect IP fragments
Date: Mon, 6 Jan 2020 16:06:35 -0800 [thread overview]
Message-ID: <20200106160635.2550c92f@hermes.lan> (raw)
In-Reply-To: <BRNuMFiJpql6kgRrEdMdQfo3cypcBpqGRtfWvbW8QFsv2MSUj_fUV-s8Fx-xopJ8kvR3ZMJM0tck6FYxm8S0EcpZngEzrfFg5w22Qo8asEQ=@protonmail.com>
On Fri, 03 Jan 2020 00:44:30 +0000
Ttttabcd <ttttabcd@protonmail.com> wrote:
> > You can not safely drop this check.
> > With recursive fragmentation it is possible that the initial payload ends
> > up exceeding the maximum packet length.
>
> Can you give an example? What is "recursive fragmentation"?
>
> In my previous tests, all fragment packets with a payload length exceeding 65535 will be in the ip6_frag_queue
>
> if ((unsigned int) end> IPV6_MAXPLEN)
>
> Was discarded.
>
>
I get wary of any changes to fragmentation code. It has a long history
of bugs and is complex. See recent FragSmack for some backstory.
You need to split IPv4 and IPv6 parts into two different patches.
In the IPv4 part, you dropped the test for oversize IPv4 packet.
With raw packet tools it is possible to generate a packet that reassembles into
a packet larger than 64K. An example is:
$ tshark -r oversize-ipv4.pcap
1 0.000000 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=0, ID=9b39)
2 0.001615 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=1440, ID=9b39)
3 0.004115 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=2920, ID=9b39)
4 0.006502 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=4400, ID=9b39)
5 0.008819 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=5880, ID=9b39)
6 0.011178 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=7360, ID=9b39)
7 0.013465 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=8840, ID=9b39)
8 0.016040 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=10320, ID=9b39)
9 0.018369 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=11800, ID=9b39)
10 0.020679 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=13280, ID=9b39)
11 0.022965 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=14760, ID=9b39)
12 0.025186 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=16240, ID=9b39)
13 0.027277 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=17720, ID=9b39)
14 0.028917 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=19200, ID=9b39)
15 0.030832 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=20680, ID=9b39)
16 0.032232 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=22160, ID=9b39)
17 0.033742 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=23640, ID=9b39)
18 0.035106 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=25120, ID=9b39)
19 0.036736 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=26600, ID=9b39)
20 0.037728 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=28080, ID=9b39)
21 0.038983 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=29560, ID=9b39)
22 0.040007 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=31040, ID=9b39)
23 0.041459 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=32520, ID=9b39)
24 0.042833 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=34000, ID=9b39)
25 0.044030 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=35480, ID=9b39)
26 0.044909 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=36960, ID=9b39)
27 0.045921 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=38440, ID=9b39)
28 0.046767 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=39920, ID=9b39)
29 0.047581 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=41400, ID=9b39)
30 0.048610 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=42880, ID=9b39)
31 0.049323 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=44360, ID=9b39)
32 0.050102 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=45840, ID=9b39)
33 0.051014 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=47320, ID=9b39)
34 0.051787 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=48800, ID=9b39)
35 0.052576 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=50280, ID=9b39)
36 0.053448 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=51760, ID=9b39)
37 0.054260 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=53240, ID=9b39)
38 0.055036 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=54720, ID=9b39)
39 0.055823 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=56200, ID=9b39)
40 0.056614 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=57680, ID=9b39)
41 0.057512 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=59160, ID=9b39)
42 0.058313 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=60640, ID=9b39)
43 0.059073 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=62120, ID=9b39)
44 0.059945 127.0.0.1 → 127.0.0.1 IPv4 1514 Fragmented IP protocol (proto=TCP 6, off=63600, ID=9b39)
45 0.060705 127.0.0.1 → 127.0.0.1 TCP 469 16705 → 16705 [FIN, ECN, NS] Seq=1 Win=16705, bogus TCP header length (16, must be at least 20)
With current (correct) Linux kernel code this gets reassembled and dropped.
As seen in dmesg log and statistics.
With your Ipv4 patch the oversize packet gets passed on up the stack.
Testing this stuff is hard, it requires packet hacker tools.
next prev parent reply other threads:[~2020-01-07 0:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-31 1:19 [PATCH] fragment: Improved handling of incorrect IP fragments Ttttabcd
2020-01-02 19:27 ` Stephen Hemminger
2020-01-03 0:44 ` Ttttabcd
2020-01-07 0:06 ` Stephen Hemminger [this message]
2020-01-07 0:37 ` Ttttabcd
2020-01-12 15:14 ` Ttttabcd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200106160635.2550c92f@hermes.lan \
--to=stephen@networkplumber.org \
--cc=davem@davemloft.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=ttttabcd@protonmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).