From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Jason Wang <jasowang@redhat.com>
Cc: Network Development <netdev@vger.kernel.org>,
David Miller <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Willem de Bruijn <willemb@google.com>
Subject: Re: [PATCH net] net: validate untrusted gso packets
Date: Thu, 18 Jan 2018 19:53:39 -0500 [thread overview]
Message-ID: <CAF=yD-+eKuu4+c3BJG7Q04gxv0UCkdfvPTj=cSd27biMTP3S_g@mail.gmail.com> (raw)
In-Reply-To: <fc842b56-f5ae-243e-d10e-482eb1da09ae@redhat.com>
>>> This implements subset of function for codes which was removed by the
>>> commit
>>> I mentioned below.
>>
>> No, as I explain above, it performs a different check.
>>
>>>>>
>
> [...]
Clearly I was wrong, sorry. Thanks for pointing out that commit and
576a30eb6453 ("[NET]: Added GSO header verification").
>>>>> For performance reason. I think we should delay the check or
>>>>> segmentation
>>>>> as
>>>>> much as possible until it was really needed.
>>>>
>>>> Going through segmentation is probably as expensive as flow dissector,
>>>> if not more so because of the indirect branches.
>>>
>>> I think we don't even need to care about this consider the evil packet
>>> should be rare.
>>
>> How does frequency matter when a single packet can crash a host?
>
>
> I mean consider we had fix the crash, we don't care how expensive do we spot
> this.
>
>>
>>> And what you propose here is just a very small subset of the
>>> necessary checking, more comes at gso header checking. So even if we care
>>> performance, it only help for some specific case.
>>
>> It also fixed the bug that Eric sent a separate patch for, as that did
>> not dissect as a valid TCP packet, either.
>
>
> I may miss something but how did this patch protects an evil thoff?
Actually, it blocked that specific reproducer because the ip protocol
did not match.
I think that __skb_flow_dissect_tcp should return a boolean, causing
dissection return FLOW_DISSECT_RET_OUT_BAD if the tcph is bad.
That would be needed to really catch it with flow dissection at the source.
next prev parent reply other threads:[~2018-01-19 0:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-16 20:29 [PATCH net] net: validate untrusted gso packets Willem de Bruijn
2018-01-17 4:04 ` Jason Wang
2018-01-17 4:33 ` Willem de Bruijn
2018-01-17 4:56 ` Willem de Bruijn
2018-01-17 11:58 ` Jason Wang
2018-01-17 11:54 ` Jason Wang
2018-01-17 14:27 ` Willem de Bruijn
2018-01-17 23:17 ` Willem de Bruijn
2018-01-18 3:35 ` Jason Wang
2018-01-18 5:09 ` Willem de Bruijn
2018-01-18 9:33 ` Jason Wang
2018-01-19 0:53 ` Willem de Bruijn [this message]
2018-01-19 8:19 ` Jason Wang
2018-01-19 14:39 ` Willem de Bruijn
2018-01-22 2:44 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAF=yD-+eKuu4+c3BJG7Q04gxv0UCkdfvPTj=cSd27biMTP3S_g@mail.gmail.com' \
--to=willemdebruijn.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jasowang@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).