From: David Miller <davem@davemloft.net>
To: khimov@altell.ru
Cc: pablo@netfilter.org, kaber@trash.net, kadlec@blackhole.kfki.hu,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, roman@khimov.ru,
kernel@linuxace.com
Subject: Re: [PATCH] net: fix search limit handling in skb_find_text()
Date: Thu, 18 Jun 2015 03:08:57 -0700 (PDT) [thread overview]
Message-ID: <20150618.030857.727287316393260187.davem@davemloft.net> (raw)
In-Reply-To: <1434359518-16897-1-git-send-email-khimov@altell.ru>
From: Roman I Khimov <khimov@altell.ru>
Date: Mon, 15 Jun 2015 12:11:58 +0300
> Suppose that we're trying to use an xt_string netfilter module to match a
> string in a specially crafted packet that has "a nice string" starting at
> offset 28.
>
> It could be done in iptables like this:
>
> -A some_chain -m string --string "a nice string" --algo bm --from 28 --to 38 -j DROP
>
> And it would work as expected. Now changing that to
>
> -A some_chain -m string --string "a nice string" --algo bm --from 29 --to 38 -j DROP
>
> breaks the match, as expected. But, if we try to make
>
> -A some_chain -m string --string "a nice string" --algo bm --from 20 --to 28 -j DROP
>
> then it suddenly works again! So the 'to' parameter seems to be inclusive, not
> working as an offset after which no search should be done. OK, now if we try:
>
> -A some_chain -m string --string "a nice string" --algo bm --from 28 --to 28 -j DROP
>
> it doesn't work. So, for the case of equal 'from' and 'to' it's treated in a
> different way.
>
> The first behaviour (matching at 'to' offset) comes from skb_find_text()
> comparison. The second one (not matching if 'from' and 'to' are equal) comes
> from skb_seq_read() check for (abs_offset >= st->upper_offset).
>
> I think that the way skb_find_text() handles 'to' is wrong and should be fixed
> so that we always have predictable behaviour -- only match before 'to' offset.
>
> There are currently only five usages of skb_find_text() in the kernel and it
> looks to me that none of them expect to match something at the 'to' offset,
> so probably this change is safe.
>
> Reported-by: Edward Makarov <makarov@altell.ru>
> Tested-by: Edward Makarov <makarov@altell.ru>
> Signed-off-by: Roman I Khimov <khimov@altell.ru>
Unfortunately any aspect of this exposed to userspace is pretty much locked
in place, and we can't change it without potentially breaking someone's
setup. This has been this way for a long time, so the risk of breaking
things is very real.
I'm not applying this, sorry.
prev parent reply other threads:[~2015-06-18 9:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-15 9:11 [PATCH] net: fix search limit handling in skb_find_text() Roman I Khimov
2015-06-15 17:06 ` Pablo Neira Ayuso
2015-06-15 19:37 ` Roman Khimov
2015-06-16 10:48 ` Pablo Neira Ayuso
2015-06-16 12:13 ` Roman Khimov
2015-06-18 20:01 ` Pablo Neira Ayuso
2015-06-18 10:08 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150618.030857.727287316393260187.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kernel@linuxace.com \
--cc=khimov@altell.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=roman@khimov.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).