From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Wang Subject: Re: [PATCH net] net: validate untrusted gso packets Date: Fri, 19 Jan 2018 16:19:58 +0800 Message-ID: <33ee3975-3447-2c1f-f752-ed77e47f3f15@redhat.com> References: <20180116202914.205914-1-willemdebruijn.kernel@gmail.com> <39e93ed0-3e2c-20bd-ebb1-deeb37940175@redhat.com> <28e14b63-5756-3384-ab16-f70911779f2a@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Cc: Network Development , David Miller , Eric Dumazet , Willem de Bruijn To: Willem de Bruijn Return-path: Received: from mx1.redhat.com ([209.132.183.28]:60802 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754972AbeASIUD (ORCPT ); Fri, 19 Jan 2018 03:20:03 -0500 In-Reply-To: Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 2018年01月19日 08:53, Willem de Bruijn wrote: >>>> And what you propose here is just a very small subset of the >>>> necessary checking, more comes at gso header checking. So even if we care >>>> performance, it only help for some specific case. >>> It also fixed the bug that Eric sent a separate patch for, as that did >>> not dissect as a valid TCP packet, either. >> I may miss something but how did this patch protects an evil thoff? > Actually, it blocked that specific reproducer because the ip protocol > did not match. I see. > > I think that __skb_flow_dissect_tcp should return a boolean, causing > dissection return FLOW_DISSECT_RET_OUT_BAD if the tcph is bad. > That would be needed to really catch it with flow dissection at the source. Just sanitize transport to offset_hint (0) in the case of tun. It looks to me flow dissector will return FLOW_DISSECT_RET_OUT_BAD too if it can't recognize the protocol. We can't differ the real failure from unrecognized protocol. (or change the return from bool to int). Thanks