subject:"\[RFC PATCH 16\/17\] calipso\: Add validation of CALIPSO option."

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

2015-12-22 Thread Huw Davies

On Tue, Dec 22, 2015 at 10:47:43PM +0100, Hannes Frederic Sowa wrote: > On 22.12.2015 17:59, Huw Davies wrote: > > I'm confused about this one. AFAICS, this will drop packets that we > > can't process. We don't send the icmp error, but I can certainly add > > that. Is that what you mean? > >

[RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

2015-12-22 Thread Huw Davies

We check lengths, checksum and the DOI. We leave checking of the level and categories for the socket layer. Signed-off-by: Huw Davies --- include/net/calipso.h | 6 ++ net/ipv6/calipso.c| 43 +++ net/ipv6/exthdrs.c| 27

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

2015-12-22 Thread Huw Davies

On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote: > On 22.12.2015 12:46, Huw Davies wrote: > > > > +/* CALIPSO RFC 5570 */ > > + > > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff) > > +{ > > + const unsigned char *nh = skb_network_header(skb); > > + > > +

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

2015-12-22 Thread Hannes Frederic Sowa

On 22.12.2015 12:46, Huw Davies wrote: > > +/* CALIPSO RFC 5570 */ > + > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff) > +{ > + const unsigned char *nh = skb_network_header(skb); > + > + if (nh[optoff + 1] < 8) > + goto drop; > + > + if (nh[optoff + 6] *