From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Roman I Khimov <khimov@altell.ru>
Cc: davem@davemloft.net, kaber@trash.net, kadlec@blackhole.kfki.hu,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, roman@khimov.ru,
Phil Oester <kernel@linuxace.com>, Thomas Graf <tgraf@suug.ch>
Subject: Re: [PATCH] net: fix search limit handling in skb_find_text()
Date: Mon, 15 Jun 2015 19:06:39 +0200 [thread overview]
Message-ID: <20150615170639.GA21117@salvia> (raw)
In-Reply-To: <1434359518-16897-1-git-send-email-khimov@altell.ru>
Cc'ing Thomas.
On Mon, Jun 15, 2015 at 12:11:58PM +0300, Roman I Khimov wrote:
> Suppose that we're trying to use an xt_string netfilter module to match a
> string in a specially crafted packet that has "a nice string" starting at
> offset 28.
>
> It could be done in iptables like this:
>
> -A some_chain -m string --string "a nice string" --algo bm --from 28 --to 38 -j DROP
>
> And it would work as expected. Now changing that to
>
> -A some_chain -m string --string "a nice string" --algo bm --from 29 --to 38 -j DROP
>
> breaks the match, as expected. But, if we try to make
>
> -A some_chain -m string --string "a nice string" --algo bm --from 20 --to 28 -j DROP
>
> then it suddenly works again! So the 'to' parameter seems to be inclusive, not
> working as an offset after which no search should be done. OK, now if we try:
>
> -A some_chain -m string --string "a nice string" --algo bm --from 28 --to 28 -j DROP
Can you reproduce the same behaviour with the km algo?
> it doesn't work. So, for the case of equal 'from' and 'to' it's treated in a
> different way.
>
> The first behaviour (matching at 'to' offset) comes from skb_find_text()
> comparison. The second one (not matching if 'from' and 'to' are equal) comes
> from skb_seq_read() check for (abs_offset >= st->upper_offset).
>
> I think that the way skb_find_text() handles 'to' is wrong and should be fixed
> so that we always have predictable behaviour -- only match before 'to' offset.
>
> There are currently only five usages of skb_find_text() in the kernel and it
> looks to me that none of them expect to match something at the 'to' offset,
> so probably this change is safe.
So both 'from' and 'to' are inclusive which seems consistent to me. If
you make 'to' non-inclusive, then that will change the third example
above, right? That will break existing setups for people that are
relying on this behaviour. This has been exposed in this way for long
time, so we should avoid that breakage.
I would suggest you fix the --from X --to Y where X == Y which is not
doing what people would expect.
next prev parent reply other threads:[~2015-06-15 17:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-15 9:11 [PATCH] net: fix search limit handling in skb_find_text() Roman I Khimov
2015-06-15 17:06 ` Pablo Neira Ayuso [this message]
2015-06-15 19:37 ` Roman Khimov
2015-06-16 10:48 ` Pablo Neira Ayuso
2015-06-16 12:13 ` Roman Khimov
2015-06-18 20:01 ` Pablo Neira Ayuso
2015-06-18 10:08 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150615170639.GA21117@salvia \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kernel@linuxace.com \
--cc=khimov@altell.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=roman@khimov.ru \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).