From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Rahul Sharma <rsharma@arista.com>
Cc: netdev@vger.kernel.org
Subject: Re: Possible BUG in ipv6_find_hdr function for fragmented packets
Date: Tue, 06 Jan 2015 14:31:34 +0100 [thread overview]
Message-ID: <1420551094.32369.34.camel@stressinduktion.org> (raw)
In-Reply-To: <CAFB3abyNNpMbX-XbJbVRNr98ns3w7VqEveiRqg2S__DrvZjT3Q@mail.gmail.com>
Hi Rahul,
On Mi, 2014-12-31 at 12:33 +0530, Rahul Sharma wrote:
> I have observed a problem when I added an AH header before protocol
> header (OSPFv3) while implementing authentication support for OSPFv3.
>
> Problem: Fragmented packets which include authentication header don't
> get reassembled in the kernel. This was because ipv6_find_hdr returns
> ENOENT for the non-first fragment since AH is an extension header.
>
> Firstly, this comment "Note that non-1st fragment is special case
> that "the protocol number of last header" is "next header" field in
> Fragment header" ('last header' doesn't include AH or other extension
> headers) before ipv6_find_hdr looks incorrect as per the description
> of the fragmentation process in RFC2460. The rfc clearly states that
> next header value in the fragments will be the first header of the
> Fragmentable part of the original packet which could be AH (51) as in
> our case.
>
> This code looks like a problem:
> if (_frag_off) {
> 253 if (target < 0 &&
> 254 ((!ipv6_ext_hdr(hp->nexthdr)) ||
> 255 hp->nexthdr == NEXTHDR_NONE)) {
> 256 if (fragoff)
> 257 *fragoff = _frag_off;
> 258 return hp->nexthdr;
> 259 }
> 260 return -ENOENT;
> 261 }
>
> For non-first fragments, the 'next header' in the fragment header
> would *always* be AUTH (or whatever extension header is the first
> header in first fragment). But the above code will keep on returning
> ENOENT for the non-first fragment in such cases.
>
> Solution: I suggest we should get away with this check
> ((!ipv6_ext_hdr(hp->nexthdr)) ||hp->nexthdr == NEXTHDR_NONE)) and
> simply return hp->nexthdr if the _frag_off is non zero. I tested it on
> my machine and it works. Adding an special case for NEXTHDR_AUTH also
> works for me.
The packets do get dropped in netfilter code? Do you have any idea were
specifically?
Your suggestion seems correct to me, can you provide a patch to fix
this?
Thanks,
Hannes
next prev parent reply other threads:[~2015-01-06 13:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-31 7:03 Possible BUG in ipv6_find_hdr function for fragmented packets Rahul Sharma
2015-01-06 13:31 ` Hannes Frederic Sowa [this message]
2015-01-06 21:43 ` Rahul Sharma
2014-12-31 7:07 Rahul Sharma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1420551094.32369.34.camel@stressinduktion.org \
--to=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=rsharma@arista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.