An address sanity check is done on icmp error packets to check that the icmp error payload makes sense w.r.t. the packet itself.
The sanity check was partially incorrect since it tried to verify the source address of the error packet against the original destination, which does not makes since the error can be generated by any intermediate node. Reported-by: wangzhike <[email protected]> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html Fixes: a489b1685 ("conntrack: New userspace connection tracker.") CC: Daniele Di Proietto <[email protected]> Signed-off-by: Darrell Ball <[email protected]> Signed-off-by: wangzhike <[email protected]> Co-authored-by: wangzhike <[email protected]> --- lib/conntrack.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 677c0d2..4284770 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -780,8 +780,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size, } /* pf doesn't do this, but it seems a good idea */ - if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned - || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) { + if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) { return false; } @@ -869,9 +868,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, /* pf doesn't do this, but it seems a good idea */ if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned, - &key->dst.addr.ipv6_aligned) - || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned, - &key->src.addr.ipv6_aligned)) { + &key->dst.addr.ipv6_aligned)) { return false; } -- 1.9.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
