From: David Ahern <dsahern@gmail.com>
To: Kasper Dupont <kasperd@gczfm.28.feb.2009.kasperd.net>,
netdev@vger.kernel.org
Cc: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>,
davem@davemloft.net, kuba@kernel.org, dsahern@kernel.org,
Kasper Dupont <kasperd@gjkwv.06.feb.2021.kasperd.net>
Subject: Re: [PATCH 2/2] neighbour: allow NUD_NOARP entries to be forced GCed
Date: Mon, 19 Apr 2021 10:10:12 -0700 [thread overview]
Message-ID: <0b502406-1a86-faec-ff46-c530145b90cf@gmail.com> (raw)
In-Reply-To: <20210419164429.GA2295190@sniper.kasperd.net>
On 4/19/21 9:44 AM, Kasper Dupont wrote:
> On 17/03/21 15.53, Thadeu Lima de Souza Cascardo wrote:
>> IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to
>> fill up the neighbour table with enough entries that it will overflow for
>> valid connections after that.
>>
>> This behaviour is more prevalent after commit 58956317c8de ("neighbor:
>> Improve garbage collection") is applied, as it prevents removal from
>> entries that are not NUD_FAILED, unless they are more than 5s old.
>>
>> Fixes: 58956317c8de (neighbor: Improve garbage collection)
>> Reported-by: Kasper Dupont <kasperd@gjkwv.06.feb.2021.kasperd.net>
>> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
>> ---
>> net/core/neighbour.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
>> index bbc89c7ffdfd..be5ca411b149 100644
>> --- a/net/core/neighbour.c
>> +++ b/net/core/neighbour.c
>> @@ -256,6 +256,7 @@ static int neigh_forced_gc(struct neigh_table *tbl)
>>
>> write_lock(&n->lock);
>> if ((n->nud_state == NUD_FAILED) ||
>> + (n->nud_state == NUD_NOARP) ||
>> (tbl->is_multicast &&
>> tbl->is_multicast(n->primary_key)) ||
>> time_after(tref, n->updated))
>> --
>> 2.27.0
>>
>
> Is there any update regarding this change?
>
> I noticed this regression when it was used in a DoS attack on one of
> my servers which I had upgraded from Ubuntu 18.04 to 20.04.
>
> I have verified that Ubuntu 18.04 is not subject to this attack and
> Ubuntu 20.04 is vulnerable. I have also verified that the one-line
> change which Cascardo has provided fixes the vulnerability on Ubuntu
> 20.04.
>
your testing included both patches or just this one?
next prev parent reply other threads:[~2021-04-19 17:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-17 18:53 [PATCH 1/2] neighbour: allow referenced neighbours to be removed Thadeu Lima de Souza Cascardo
2021-03-17 18:53 ` [PATCH 2/2] neighbour: allow NUD_NOARP entries to be forced GCed Thadeu Lima de Souza Cascardo
2021-04-19 16:44 ` Kasper Dupont
2021-04-19 17:10 ` David Ahern [this message]
2021-04-19 17:52 ` Kasper Dupont
2021-04-20 4:27 ` David Ahern
2021-03-17 23:42 ` [PATCH 1/2] neighbour: allow referenced neighbours to be removed David Ahern
2021-03-22 21:33 ` Thadeu Lima de Souza Cascardo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0b502406-1a86-faec-ff46-c530145b90cf@gmail.com \
--to=dsahern@gmail.com \
--cc=cascardo@canonical.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=kasperd@gczfm.28.feb.2009.kasperd.net \
--cc=kasperd@gjkwv.06.feb.2021.kasperd.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.