[PATCH net-next 0/2] icmpv6_filter: correct minimum ICMPv6 message size

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net-next 0/2] icmpv6_filter: correct minimum ICMPv6 message size
@ 2013-08-02 13:50 Werner Almesberger
  2013-08-02 13:51 ` [PATCH net-next 1/2] icmpv6_filter: fix "_hdr" incorrectly being a pointer Werner Almesberger
  2013-08-02 13:51 ` [PATCH net-next 2/2] icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes Werner Almesberger
  0 siblings, 2 replies; 5+ messages in thread
From: Werner Almesberger @ 2013-08-02 13:50 UTC (permalink / raw)
  To: netdev

These two patches correct the minimum ICMPv6 message size enforced
by net/ipv6/raw.c:icmpv6_filter

The first patch corrects a type error. Because of the error, ICMPv6
raw sockets on 32 bit systems accepted ICMPv6 messages as small as
4 bytes, while 64 bit systems required at least 8 bytes.

The second patch reduces the amount of data we require from eight
(i.e., the ICMPv6 header plus four bytes of message body) to four
bytes. This is needed for protocols like RPL (RFC 6550) that use
ICMPv6 messages with bodies smaller than four bytes.

Note that applications that assume that the kernel will not pass
such short ICMPv6 messages on raw sockets may misbehave on 64 bit
systems after applying these patches. However, even if such
applications exist, they would already have that vulnerability on
32 bit systems.

- Werner

Werner Almesberger (2):
  icmpv6_filter: fix "_hdr" incorrectly being a pointer
  icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes

 net/ipv6/raw.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

-- 
1.8.1.2

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH net-next 1/2] icmpv6_filter: fix "_hdr" incorrectly being a pointer
  2013-08-02 13:50 [PATCH net-next 0/2] icmpv6_filter: correct minimum ICMPv6 message size Werner Almesberger
@ 2013-08-02 13:51 ` Werner Almesberger
  2013-08-02 22:16   ` David Miller
  2013-08-02 13:51 ` [PATCH net-next 2/2] icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes Werner Almesberger
  1 sibling, 1 reply; 5+ messages in thread
From: Werner Almesberger @ 2013-08-02 13:51 UTC (permalink / raw)
  To: netdev

"_hdr" should hold the ICMPv6 header while "hdr" is the pointer to it.
This worked by accident.

Signed-off-by: Werner Almesberger <werner@almesberger.net>
---
 net/ipv6/raw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index c45f7a5..164fb5f 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -108,7 +108,7 @@ found:
  */
 static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb)
 {
-	struct icmp6hdr *_hdr;
+	struct icmp6hdr _hdr;
 	const struct icmp6hdr *hdr;
 
 	hdr = skb_header_pointer(skb, skb_transport_offset(skb),
-- 
1.8.1.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH net-next 1/2] icmpv6_filter: fix "_hdr" incorrectly being a pointer
  2013-08-02 13:51 ` [PATCH net-next 1/2] icmpv6_filter: fix "_hdr" incorrectly being a pointer Werner Almesberger
@ 2013-08-02 22:16   ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2013-08-02 22:16 UTC (permalink / raw)
  To: werner; +Cc: netdev

From: Werner Almesberger <werner@almesberger.net>
Date: Fri, 2 Aug 2013 10:51:19 -0300

> "_hdr" should hold the ICMPv6 header while "hdr" is the pointer to it.
> This worked by accident.
> 
> Signed-off-by: Werner Almesberger <werner@almesberger.net>

Applied.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH net-next 2/2] icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes
  2013-08-02 13:50 [PATCH net-next 0/2] icmpv6_filter: correct minimum ICMPv6 message size Werner Almesberger
  2013-08-02 13:51 ` [PATCH net-next 1/2] icmpv6_filter: fix "_hdr" incorrectly being a pointer Werner Almesberger
@ 2013-08-02 13:51 ` Werner Almesberger
  2013-08-02 22:16   ` David Miller
  1 sibling, 1 reply; 5+ messages in thread
From: Werner Almesberger @ 2013-08-02 13:51 UTC (permalink / raw)
  To: netdev

By using sizeof(_hdr), net/ipv6/raw.c:icmpv6_filter implicitly assumes
that any valid ICMPv6 message is at least eight bytes long, i.e., that
the message body is at least four bytes.

The DIS message of RPL (RFC 6550 section 6.2, from the 6LoWPAN world),
has a minimum length of only six bytes, and is thus blocked by
icmpv6_filter.

RFC 4443 seems to allow even a zero-sized body, making the minimum
allowable message size four bytes.

Signed-off-by: Werner Almesberger <werner@almesberger.net>
---
 net/ipv6/raw.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 164fb5f..c1e5334 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -63,6 +63,8 @@
 #include <linux/seq_file.h>
 #include <linux/export.h>
 
+#define	ICMPV6_HDRLEN	4	/* ICMPv6 header, RFC 4443 Section 2.1 */
+
 static struct raw_hashinfo raw_v6_hashinfo = {
 	.lock = __RW_LOCK_UNLOCKED(raw_v6_hashinfo.lock),
 };
@@ -111,8 +113,11 @@ static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb)
 	struct icmp6hdr _hdr;
 	const struct icmp6hdr *hdr;
 
+	/* We require only the four bytes of the ICMPv6 header, not any
+	 * additional bytes of message body in "struct icmp6hdr".
+	 */
 	hdr = skb_header_pointer(skb, skb_transport_offset(skb),
-				 sizeof(_hdr), &_hdr);
+				 ICMPV6_HDRLEN, &_hdr);
 	if (hdr) {
 		const __u32 *data = &raw6_sk(sk)->filter.data[0];
 		unsigned int type = hdr->icmp6_type;
-- 
1.8.1.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH net-next 2/2] icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes
  2013-08-02 13:51 ` [PATCH net-next 2/2] icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes Werner Almesberger
@ 2013-08-02 22:16   ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2013-08-02 22:16 UTC (permalink / raw)
  To: werner; +Cc: netdev

From: Werner Almesberger <werner@almesberger.net>
Date: Fri, 2 Aug 2013 10:51:34 -0300

> By using sizeof(_hdr), net/ipv6/raw.c:icmpv6_filter implicitly assumes
> that any valid ICMPv6 message is at least eight bytes long, i.e., that
> the message body is at least four bytes.
> 
> The DIS message of RPL (RFC 6550 section 6.2, from the 6LoWPAN world),
> has a minimum length of only six bytes, and is thus blocked by
> icmpv6_filter.
> 
> RFC 4443 seems to allow even a zero-sized body, making the minimum
> allowable message size four bytes.
> 
> Signed-off-by: Werner Almesberger <werner@almesberger.net>

Applied, thanks Werner.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-08-02 22:16 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-02 13:50 [PATCH net-next 0/2] icmpv6_filter: correct minimum ICMPv6 message size Werner Almesberger
2013-08-02 13:51 ` [PATCH net-next 1/2] icmpv6_filter: fix "_hdr" incorrectly being a pointer Werner Almesberger
2013-08-02 22:16   ` David Miller
2013-08-02 13:51 ` [PATCH net-next 2/2] icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes Werner Almesberger
2013-08-02 22:16   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).