Re: [IPSEC]: Fix reversed ICMP6 policy check
On 13-12-2007 03:49, Herbert Xu wrote: On Thu, Dec 13, 2007 at 09:58:56AM +0800, Herbert Xu wrote: [IPSEC]: Fix reversed ICMP6 policy check While that won't crash anymore, it's still logically wrong. Here's a more complete fix. ...even more than this! Since more than a year each time I read your patches I wonder what kind of special attachments you use they are so unreadble (blurred) in Mozilla Thunderbird (but, I was never so desperate to study all these mail RFCs). And now - BINGO! So, they are simply treated as signatures! Nice trick! But, I see, you forgot about something this time, and now it's all clear! (Actually, I probably need one more year to find, how to turn off this sh...) Thanks, Jarek P. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPSEC]: Fix reversed ICMP6 policy check
From: Herbert Xu [EMAIL PROTECTED] Date: Thu, 13 Dec 2007 09:58:56 +0800 [IPSEC]: Fix reversed ICMP6 policy check The policy check I added for ICMP on IPv6 is reversed. This patch fixes that. It also adds an skb-sp check so that unprotected packets that fail the policy check do not crash the machine. Signed-off-by: Herbert Xu [EMAIL PROTECTED] Applied, thanks Herbert. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPSEC]: Fix reversed ICMP6 policy check
On Thu, Dec 13, 2007 at 09:58:56AM +0800, Herbert Xu wrote: [IPSEC]: Fix reversed ICMP6 policy check While that won't crash anymore, it's still logically wrong. Here's a more complete fix. [IPSEC]: Fix reversed ICMP6 policy check The policy check I added for ICMP on IPv6 is reversed. We were also letting packets through incorrectly if the ICMP flag isn't set. This patch fixes that. It also adds an skb-sp check so that unprotected packets that fail the policy check do not crash the machine. Signed-off-by: Herbert Xu [EMAIL PROTECTED] diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 4e3bfcd..ccdef9a 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -978,10 +978,13 @@ int icmp_rcv(struct sk_buff *skb) struct icmphdr *icmph; struct rtable *rt = (struct rtable *)skb-dst; - if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb) - skb-sp-xvec[skb-sp-len - 1]-props.flags XFRM_STATE_ICMP) { + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { int nh; + if (!(skb-sp skb-sp-xvec[skb-sp-len - 1]-props.flags +XFRM_STATE_ICMP)) + goto drop; + if (!pskb_may_pull(skb, sizeof(*icmph) + sizeof(struct iphdr))) goto drop; diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 478ee77..bbf4162 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -646,10 +646,13 @@ static int icmpv6_rcv(struct sk_buff *skb) struct icmp6hdr *hdr; int type; - if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb) - skb-sp-xvec[skb-sp-len - 1]-props.flags XFRM_STATE_ICMP) { + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { int nh; + if (!(skb-sp skb-sp-xvec[skb-sp-len - 1]-props.flags +XFRM_STATE_ICMP)) + goto drop_no_count; + if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(*orig_hdr))) goto drop_no_count; Thanks, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmVHI~} [EMAIL PROTECTED] Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPSEC]: Fix reversed ICMP6 policy check
From: Herbert Xu [EMAIL PROTECTED] Date: Thu, 13 Dec 2007 10:49:18 +0800 On Thu, Dec 13, 2007 at 09:58:56AM +0800, Herbert Xu wrote: [IPSEC]: Fix reversed ICMP6 policy check While that won't crash anymore, it's still logically wrong. Here's a more complete fix. I already applied the first one, please send a relative fixup which I'll combine as appropriate next rebase. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPSEC]: Fix reversed ICMP6 policy check
On Wed, Dec 12, 2007 at 06:48:30PM -0800, David Miller wrote: From: Herbert Xu [EMAIL PROTECTED] Date: Thu, 13 Dec 2007 09:58:56 +0800 [IPSEC]: Fix reversed ICMP6 policy check Applied, thanks Herbert. You're too quick :) Before you ask for an incremental patch, here's a preemptive strike :) [IPSEC]: Do not let packets pass when ICMP flag is off This fixes a logical error in ICMP policy checks which lets packets through if the state ICMP flag is off. Signed-off-by: Herbert Xu [EMAIL PROTECTED] Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmVHI~} [EMAIL PROTECTED] Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 132e879..ccdef9a 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -978,10 +978,13 @@ int icmp_rcv(struct sk_buff *skb) struct icmphdr *icmph; struct rtable *rt = (struct rtable *)skb-dst; - if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb) skb-sp - skb-sp-xvec[skb-sp-len - 1]-props.flags XFRM_STATE_ICMP) { + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { int nh; + if (!(skb-sp skb-sp-xvec[skb-sp-len - 1]-props.flags +XFRM_STATE_ICMP)) + goto drop; + if (!pskb_may_pull(skb, sizeof(*icmph) + sizeof(struct iphdr))) goto drop; diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 64d78c9..bbf4162 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -646,10 +646,13 @@ static int icmpv6_rcv(struct sk_buff *skb) struct icmp6hdr *hdr; int type; - if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb) skb-sp - skb-sp-xvec[skb-sp-len - 1]-props.flags XFRM_STATE_ICMP) { + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { int nh; + if (!(skb-sp skb-sp-xvec[skb-sp-len - 1]-props.flags +XFRM_STATE_ICMP)) + goto drop_no_count; + if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(*orig_hdr))) goto drop_no_count; -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPSEC]: Fix reversed ICMP6 policy check
From: Herbert Xu [EMAIL PROTECTED] Date: Thu, 13 Dec 2007 10:51:56 +0800 You're too quick :) Before you ask for an incremental patch, here's a preemptive strike :) Hehe :) [IPSEC]: Do not let packets pass when ICMP flag is off This fixes a logical error in ICMP policy checks which lets packets through if the state ICMP flag is off. Signed-off-by: Herbert Xu [EMAIL PROTECTED] Applied, thanks! -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html