Re: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE

[aserdean]

Applied on master!

Thanks,
Alin.

> -Mesaj original-
> De la: ovs-dev-boun...@openvswitch.org  boun...@openvswitch.org> În numele Anand Kumar
> Trimis: Thursday, March 8, 2018 2:16 AM
> Către: aserd...@ovn.org; d...@openvswitch.org
> Subiect: Re: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip
> fragments less than MIN_FRAGMENT_SIZE
> 
> Hi Alin,
> 
> Thanks for reviewing the patch.
> Can we get this patch applied?
> 
> Thanks,
> Anand Kumar
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE

[Anand Kumar]

Hi Alin,

Thanks for reviewing the patch. 
Can we get this patch applied?

Thanks,
Anand Kumar

On 3/7/18, 3:42 AM, "ovs-dev-boun...@openvswitch.org on behalf of 
aserd...@ovn.org"  wrote:

Acked-by: Alin Gabriel Serdean 

Alin.

-Mesaj original-
De la: ovs-dev-boun...@openvswitch.org  În
numele Anand Kumar
Trimis: Wednesday, March 7, 2018 1:48 AM
Către: d...@openvswitch.org
Subiect: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip fragments
less than MIN_FRAGMENT_SIZE

Previously ipfragment module would drop any fragments less than
MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the
vulnerability CVE-2000-0305. This check is incorrect, since minimum size of
the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of
L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not
guranted to be malformed or illegal.

To guard against security vulnerability CVE-2000-0305, for a given ip
datagram, ipfragments should be dropped only when number of smallest
fragments recieved reaches a certain threshold.

Signed-off-by: Anand Kumar 
---
 datapath-windows/ovsext/IpFragment.c | 9 +++--
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/datapath-windows/ovsext/IpFragment.c
b/datapath-windows/ovsext/IpFragment.c
index 3d5277a..d59d7cf 100644
--- a/datapath-windows/ovsext/IpFragment.c
+++ b/datapath-windows/ovsext/IpFragment.c
@@ -25,10 +25,10 @@
 #undef OVS_DBG_MOD
 #endif
 #define OVS_DBG_MOD OVS_DBG_IPFRAG
-/* Based on MIN_FRAGMENT_SIZE.*/
-#define MAX_FRAGMENTS 164
+
 #define MIN_FRAGMENT_SIZE 400
 #define MAX_IPDATAGRAM_SIZE 65535
+#define MAX_FRAGMENTS MAX_IPDATAGRAM_SIZE/MIN_FRAGMENT_SIZE + 1
 
 /* Function declarations */
 static KSTART_ROUTINE OvsIpFragmentEntryCleaner; @@ -275,10 +275,7 @@
OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT switchContext,
 offset = ntohs(ipHdr->frag_off) & IP_OFFSET;
 offset <<= 3;
 flags = ntohs(ipHdr->frag_off) & IP_MF;
-/* Only the last fragment can be of smaller size.*/
-if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) {
-return NDIS_STATUS_INVALID_LENGTH;
-}
+
 /*Copy fragment specific fields. */
 fragKey.protocol = ipHdr->protocol;
 fragKey.id = ipHdr->id;
--
2.9.3.windows.1

___
dev mailing list
d...@openvswitch.org

https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev=DwIFBA=uilaK90D4TOVoH58JNXRgQ=Q5z9tBe-nAOpE7LIHSPV8uy5-437agMXvkeHHMkR8Us=wBaFjfmLsp_IHmGbqcnqFbiVgL9SrUg_OjOmu6mtm18=-RSx_6v5FgOED7n_4PPfYEIrpVkor7g5BhyBt2ygcuU=

___
dev mailing list
d...@openvswitch.org

https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev=DwIFBA=uilaK90D4TOVoH58JNXRgQ=Q5z9tBe-nAOpE7LIHSPV8uy5-437agMXvkeHHMkR8Us=wBaFjfmLsp_IHmGbqcnqFbiVgL9SrUg_OjOmu6mtm18=-RSx_6v5FgOED7n_4PPfYEIrpVkor7g5BhyBt2ygcuU=


___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE

[aserdean]

Acked-by: Alin Gabriel Serdean 

Alin.

-Mesaj original-
De la: ovs-dev-boun...@openvswitch.org  În
numele Anand Kumar
Trimis: Wednesday, March 7, 2018 1:48 AM
Către: d...@openvswitch.org
Subiect: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip fragments
less than MIN_FRAGMENT_SIZE

Previously ipfragment module would drop any fragments less than
MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the
vulnerability CVE-2000-0305. This check is incorrect, since minimum size of
the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of
L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not
guranted to be malformed or illegal.

To guard against security vulnerability CVE-2000-0305, for a given ip
datagram, ipfragments should be dropped only when number of smallest
fragments recieved reaches a certain threshold.

Signed-off-by: Anand Kumar 
---
 datapath-windows/ovsext/IpFragment.c | 9 +++--
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/datapath-windows/ovsext/IpFragment.c
b/datapath-windows/ovsext/IpFragment.c
index 3d5277a..d59d7cf 100644
--- a/datapath-windows/ovsext/IpFragment.c
+++ b/datapath-windows/ovsext/IpFragment.c
@@ -25,10 +25,10 @@
 #undef OVS_DBG_MOD
 #endif
 #define OVS_DBG_MOD OVS_DBG_IPFRAG
-/* Based on MIN_FRAGMENT_SIZE.*/
-#define MAX_FRAGMENTS 164
+
 #define MIN_FRAGMENT_SIZE 400
 #define MAX_IPDATAGRAM_SIZE 65535
+#define MAX_FRAGMENTS MAX_IPDATAGRAM_SIZE/MIN_FRAGMENT_SIZE + 1
 
 /* Function declarations */
 static KSTART_ROUTINE OvsIpFragmentEntryCleaner; @@ -275,10 +275,7 @@
OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT switchContext,
 offset = ntohs(ipHdr->frag_off) & IP_OFFSET;
 offset <<= 3;
 flags = ntohs(ipHdr->frag_off) & IP_MF;
-/* Only the last fragment can be of smaller size.*/
-if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) {
-return NDIS_STATUS_INVALID_LENGTH;
-}
+
 /*Copy fragment specific fields. */
 fragKey.protocol = ipHdr->protocol;
 fragKey.id = ipHdr->id;
--
2.9.3.windows.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev