From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Rahul Sharma <rsharma@arista.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
hannes@stressinduktion.org, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments
Date: Tue, 6 Jan 2015 23:47:06 +0100 [thread overview]
Message-ID: <20150106224706.GA7416@salvia> (raw)
In-Reply-To: <CAFB3abzYNYqtzd_n+Ym0Lo=DYbV0HPU=Tqw=stALNnu188hMKQ@mail.gmail.com>
On Wed, Jan 07, 2015 at 03:03:20AM +0530, Rahul Sharma wrote:
> ipv6_find_hdr() currently assumes that the next-header field in the
> fragment header of the non-first fragment is the "protocol number of
> the last header" (here last header excludes any extension header
> protocol numbers ) which is incorrect as per RFC2460. The next-header
> value is the first header of the fragmentable part of the original
> packet (which can be extension header as well).
> This can create reassembly problems. For example: Fragmented
> authenticated OSPFv3 packets (where AH header is inserted before the
> protocol header). For the second fragment, the next header value in
> the fragment header will be NEXTHDR_AUTH which is correct but
> ipv6_find_hdr will return ENOENT since AH is an extension header
> resulting in second fragment getting dropped. This check for the
> presence of non-extension header needs to be removed.
>
> Signed-off-by: Rahul Sharma <rsharma@arista.com>
> ---
> --- linux-3.18.1/net/ipv6/exthdrs_core.c.orig 2015-01-06
> 10:25:36.411419863 -0800
> +++ linux-3.18.1/net/ipv6/exthdrs_core.c 2015-01-06
> 10:51:45.819364986 -0800
> @@ -171,10 +171,11 @@ EXPORT_SYMBOL_GPL(ipv6_find_tlv);
> * If the first fragment doesn't contain the final protocol header or
> * NEXTHDR_NONE it is considered invalid.
> *
> - * Note that non-1st fragment is special case that "the protocol number
> - * of last header" is "next header" field in Fragment header. In this case,
> - * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
> - * isn't NULL.
> + * Note that non-1st fragment is special case that "the protocol number of the
> + * first header of the fragmentable part of the original packet" is
> + * "next header" field in the Fragment header. In this case, *offset is
> + * meaningless and fragment offset is stored in *fragoff if fragoff isn't
> + * NULL.
> *
> * if flags is not NULL and it's a fragment, then the frag flag
> * IP6_FH_F_FRAG will be set. If it's an AH header, the
> @@ -250,9 +251,7 @@ int ipv6_find_hdr(const struct sk_buff *
>
> _frag_off = ntohs(*fp) & ~0x7;
> if (_frag_off) {
> - if (target < 0 &&
> - ((!ipv6_ext_hdr(hp->nexthdr)) ||
This check assumes that the following headers cannot show up in the
fragmented part of the IPv6 packet:
12 bool ipv6_ext_hdr(u8 nexthdr)
13 {
14 /*
15 * find out if nexthdr is an extension header or a protocol
16 */
17 return (nexthdr == NEXTHDR_HOP) ||
18 (nexthdr == NEXTHDR_ROUTING) ||
19 (nexthdr == NEXTHDR_FRAGMENT) ||
20 (nexthdr == NEXTHDR_AUTH) ||
21 (nexthdr == NEXTHDR_NONE) ||
22 (nexthdr == NEXTHDR_DEST);
> - hp->nexthdr == NEXTHDR_NONE)) {
> + if (target < 0) {
> if (fragoff)
> *fragoff = _frag_off;
> return hp->nexthdr;
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next parent reply other threads:[~2015-01-06 22:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAFB3abzYNYqtzd_n+Ym0Lo=DYbV0HPU=Tqw=stALNnu188hMKQ@mail.gmail.com>
2015-01-06 22:47 ` Pablo Neira Ayuso [this message]
2015-01-07 5:41 ` [PATCH net] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments Rahul Sharma
2015-01-07 10:43 ` Hannes Frederic Sowa
2015-01-07 20:48 ` Rahul Sharma
2015-01-08 13:11 ` Hannes Frederic Sowa
2015-01-08 20:53 ` Pablo Neira Ayuso
2015-01-08 21:11 ` Pablo Neira Ayuso
2015-01-08 22:39 ` Hannes Frederic Sowa
2015-01-09 0:05 ` Pablo Neira Ayuso
2015-01-09 7:18 ` Rahul Sharma
2015-01-09 11:34 ` Hannes Frederic Sowa
2015-01-09 11:45 ` Pablo Neira Ayuso
2015-01-09 15:50 ` Hannes Frederic Sowa
2015-01-12 11:08 ` Rahul Sharma
2015-01-12 11:51 ` Pablo Neira Ayuso
2015-01-13 4:23 ` Rahul Sharma
2015-01-13 10:11 ` Hannes Frederic Sowa
2015-01-22 11:24 ` Rahul Sharma
2015-01-09 11:36 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150106224706.GA7416@salvia \
--to=pablo@netfilter.org \
--cc=hannes@stressinduktion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rsharma@arista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).