* [PATCH 0/3] netfilter fixes for net
@ 2013-06-17 19:34 Pablo Neira Ayuso
2013-06-17 19:34 ` [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() Pablo Neira Ayuso
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-17 19:34 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes. They are targeted to the
TCP option targets, that have receive some scrinity in the last week. The
changes are:
* Fix TCPOPTSTRIP, it stopped working in the forward chain as tcp_hdr
uses skb->transport_header, and we cannot use that in the forwarding
case, from myself.
* Fix default IPv6 MSS in TCPMSS in case of absence of TCP MSS options,
from Phil Oester.
* Fix missing fragmentation handling again in TCPMSS, from Phil Oester.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit a8241c63517ec0b900695daa9003cddc41c536a1:
ipvs: info leak in __ip_vs_get_dest_entries() (2013-06-10 14:53:00 +0200)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to b396966c4688522863572927cb30aa874b3ec504:
netfilter: xt_TCPMSS: Fix missing fragmentation handling (2013-06-12 11:06:19 +0200)
----------------------------------------------------------------
Pablo Neira Ayuso (1):
netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr()
Phil Oester (2):
netfilter: xt_TCPMSS: Fix IPv6 default MSS too
netfilter: xt_TCPMSS: Fix missing fragmentation handling
net/netfilter/xt_TCPMSS.c | 25 ++++++++++++++++++-------
net/netfilter/xt_TCPOPTSTRIP.c | 6 ++++--
2 files changed, 22 insertions(+), 9 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() 2013-06-17 19:34 [PATCH 0/3] netfilter fixes for net Pablo Neira Ayuso @ 2013-06-17 19:34 ` Pablo Neira Ayuso 2013-06-17 20:30 ` Julian Anastasov 2013-06-17 19:34 ` [PATCH 2/3] netfilter: xt_TCPMSS: Fix IPv6 default MSS too Pablo Neira Ayuso ` (2 subsequent siblings) 3 siblings, 1 reply; 7+ messages in thread From: Pablo Neira Ayuso @ 2013-06-17 19:34 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev In (bc6bcb5 netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary), the use of tcp_hdr was introduced. However, we cannot assume that skb->transport_header is set for non-local packets. Cc: Florian Westphal <fw@strlen.de> Reported-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/xt_TCPOPTSTRIP.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c index 1eb1a44..b68fa19 100644 --- a/net/netfilter/xt_TCPOPTSTRIP.c +++ b/net/netfilter/xt_TCPOPTSTRIP.c @@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb, return NF_DROP; len = skb->len - tcphoff; - if (len < (int)sizeof(struct tcphdr) || - tcp_hdr(skb)->doff * 4 > len) + if (len < (int)sizeof(struct tcphdr)) return NF_DROP; tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); + if (tcph->doff * 4 > len) + return NF_DROP; + opt = (u_int8_t *)tcph; /* -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() 2013-06-17 19:34 ` [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() Pablo Neira Ayuso @ 2013-06-17 20:30 ` Julian Anastasov 0 siblings, 0 replies; 7+ messages in thread From: Julian Anastasov @ 2013-06-17 20:30 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev Hello, On Mon, 17 Jun 2013, Pablo Neira Ayuso wrote: > In (bc6bcb5 netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond > packet boundary), the use of tcp_hdr was introduced. However, we > cannot assume that skb->transport_header is set for non-local packets. It is hidden also in tcp_hdrlen() which is used here. > Cc: Florian Westphal <fw@strlen.de> > Reported-by: Phil Oester <kernel@linuxace.com> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > net/netfilter/xt_TCPOPTSTRIP.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c > index 1eb1a44..b68fa19 100644 > --- a/net/netfilter/xt_TCPOPTSTRIP.c > +++ b/net/netfilter/xt_TCPOPTSTRIP.c > @@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb, > return NF_DROP; > > len = skb->len - tcphoff; > - if (len < (int)sizeof(struct tcphdr) || > - tcp_hdr(skb)->doff * 4 > len) > + if (len < (int)sizeof(struct tcphdr)) > return NF_DROP; > > tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); > + if (tcph->doff * 4 > len) We can save tcph->doff * 4 in a var and use it instead of tcp_hdrlen. BTW, optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. > + return NF_DROP; > + > opt = (u_int8_t *)tcph; > > /* > -- > 1.7.10.4 Regards -- Julian Anastasov <ja@ssi.bg> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/3] netfilter: xt_TCPMSS: Fix IPv6 default MSS too 2013-06-17 19:34 [PATCH 0/3] netfilter fixes for net Pablo Neira Ayuso 2013-06-17 19:34 ` [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() Pablo Neira Ayuso @ 2013-06-17 19:34 ` Pablo Neira Ayuso 2013-06-17 19:34 ` [PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling Pablo Neira Ayuso 2013-06-17 23:14 ` [PATCH 0/3] netfilter fixes for net David Miller 3 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2013-06-17 19:34 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Phil Oester <kernel@linuxace.com> As a followup to commit 409b545a ("netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option"), John Heffner points out that IPv6 has a higher MTU than IPv4, and thus a higher minimum MSS. Update TCPMSS target to account for this, and update RFC comment. While at it, point to more recent reference RFC1122 instead of RFC879. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/xt_TCPMSS.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index afaebc7..6640a22 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -45,11 +45,12 @@ optlen(const u_int8_t *opt, unsigned int offset) static int tcpmss_mangle_packet(struct sk_buff *skb, - const struct xt_tcpmss_info *info, + const struct xt_action_param *par, unsigned int in_mtu, unsigned int tcphoff, unsigned int minlen) { + const struct xt_tcpmss_info *info = par->targinfo; struct tcphdr *tcph; unsigned int tcplen, i; __be16 oldval; @@ -125,11 +126,17 @@ tcpmss_mangle_packet(struct sk_buff *skb, skb_put(skb, TCPOLEN_MSS); - /* RFC 879 states that the default MSS is 536 without specific - * knowledge that the destination host is prepared to accept larger. - * Since no MSS was provided, we MUST NOT set a value > 536. + /* + * IPv4: RFC 1122 states "If an MSS option is not received at + * connection setup, TCP MUST assume a default send MSS of 536". + * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum + * length IPv6 header of 60, ergo the default MSS value is 1220 + * Since no MSS was provided, we must use the default values */ - newmss = min(newmss, (u16)536); + if (par->family == NFPROTO_IPV4) + newmss = min(newmss, (u16)536); + else + newmss = min(newmss, (u16)1220); opt = (u_int8_t *)tcph + sizeof(struct tcphdr); memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr)); @@ -188,7 +195,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par) __be16 newlen; int ret; - ret = tcpmss_mangle_packet(skb, par->targinfo, + ret = tcpmss_mangle_packet(skb, par, tcpmss_reverse_mtu(skb, PF_INET), iph->ihl * 4, sizeof(*iph) + sizeof(struct tcphdr)); @@ -217,7 +224,7 @@ tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par) tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off); if (tcphoff < 0) return NF_DROP; - ret = tcpmss_mangle_packet(skb, par->targinfo, + ret = tcpmss_mangle_packet(skb, par, tcpmss_reverse_mtu(skb, PF_INET6), tcphoff, sizeof(*ipv6h) + sizeof(struct tcphdr)); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling 2013-06-17 19:34 [PATCH 0/3] netfilter fixes for net Pablo Neira Ayuso 2013-06-17 19:34 ` [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() Pablo Neira Ayuso 2013-06-17 19:34 ` [PATCH 2/3] netfilter: xt_TCPMSS: Fix IPv6 default MSS too Pablo Neira Ayuso @ 2013-06-17 19:34 ` Pablo Neira Ayuso 2013-06-17 21:03 ` Julian Anastasov 2013-06-17 23:14 ` [PATCH 0/3] netfilter fixes for net David Miller 3 siblings, 1 reply; 7+ messages in thread From: Pablo Neira Ayuso @ 2013-06-17 19:34 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Phil Oester <kernel@linuxace.com> Similar to commit bc6bcb59 ("netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary"), add safe fragment handling to xt_TCPMSS. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/xt_TCPMSS.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 6640a22..7011c71 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -57,6 +57,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, u16 newmss; u8 *opt; + /* This is a fragment, no TCP header is available */ + if (par->fragoff != 0) + return XT_CONTINUE; + if (!skb_make_writable(skb, skb->len)) return -1; -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling 2013-06-17 19:34 ` [PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling Pablo Neira Ayuso @ 2013-06-17 21:03 ` Julian Anastasov 0 siblings, 0 replies; 7+ messages in thread From: Julian Anastasov @ 2013-06-17 21:03 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev Hello, On Mon, 17 Jun 2013, Pablo Neira Ayuso wrote: > From: Phil Oester <kernel@linuxace.com> > > Similar to commit bc6bcb59 ("netfilter: xt_TCPOPTSTRIP: fix > possible mangling beyond packet boundary"), add safe fragment > handling to xt_TCPMSS. > > Signed-off-by: Phil Oester <kernel@linuxace.com> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > net/netfilter/xt_TCPMSS.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c > index 6640a22..7011c71 100644 > --- a/net/netfilter/xt_TCPMSS.c > +++ b/net/netfilter/xt_TCPMSS.c > @@ -57,6 +57,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, > u16 newmss; > u8 *opt; > > + /* This is a fragment, no TCP header is available */ > + if (par->fragoff != 0) > + return XT_CONTINUE; > + > if (!skb_make_writable(skb, skb->len)) > return -1; This function needs the same check: ... + if (tcplen < (int)sizeof(struct tcphdr)) + return -1; + /* Header cannot be larger than the packet */ if (tcplen < tcph->doff*4) return -1; but 'tcplen' should be changed to 'int' for this to work. Here we have the same optlen() problem but I guess in both patches we always have something allocated after the last byte in header (struct skb_shared_inf), so crash is not possible. Regards -- Julian Anastasov <ja@ssi.bg> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] netfilter fixes for net 2013-06-17 19:34 [PATCH 0/3] netfilter fixes for net Pablo Neira Ayuso ` (2 preceding siblings ...) 2013-06-17 19:34 ` [PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling Pablo Neira Ayuso @ 2013-06-17 23:14 ` David Miller 3 siblings, 0 replies; 7+ messages in thread From: David Miller @ 2013-06-17 23:14 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 17 Jun 2013 21:34:36 +0200 > The following patchset contains Netfilter fixes. They are targeted to the > TCP option targets, that have receive some scrinity in the last week. The > changes are: > > * Fix TCPOPTSTRIP, it stopped working in the forward chain as tcp_hdr > uses skb->transport_header, and we cannot use that in the forwarding > case, from myself. > > * Fix default IPv6 MSS in TCPMSS in case of absence of TCP MSS options, > from Phil Oester. > > * Fix missing fragmentation handling again in TCPMSS, from Phil Oester. > > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master Pulled, thanks Pablo. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-06-17 23:14 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-06-17 19:34 [PATCH 0/3] netfilter fixes for net Pablo Neira Ayuso 2013-06-17 19:34 ` [PATCH 1/3] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr() Pablo Neira Ayuso 2013-06-17 20:30 ` Julian Anastasov 2013-06-17 19:34 ` [PATCH 2/3] netfilter: xt_TCPMSS: Fix IPv6 default MSS too Pablo Neira Ayuso 2013-06-17 19:34 ` [PATCH 3/3] netfilter: xt_TCPMSS: Fix missing fragmentation handling Pablo Neira Ayuso 2013-06-17 21:03 ` Julian Anastasov 2013-06-17 23:14 ` [PATCH 0/3] netfilter fixes for net David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).