* [PATCH net v2] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments
@ 2015-01-09 8:26 Rahul Sharma
2015-01-09 9:53 ` YOSHIFUJI Hideaki
0 siblings, 1 reply; 3+ messages in thread
From: Rahul Sharma @ 2015-01-09 8:26 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, Hannes Frederic Sowa, netfilter-devel, Pablo Neira Ayuso
ipv6_find_hdr() currently assumes that the next-header field in the
fragment header of the non-first fragment is the "protocol number of
the last header" (here last header excludes any extension header
protocol numbers ) which is incorrect as per RFC2460. The next-header
value is the first header of the fragmentable part of the original
packet (which can be extension header as well).
This can create reassembly problems. For example: Fragmented
authenticated OSPFv3 packets (where AH header is inserted before the
protocol header). For the second fragment, the next header value in
the fragment header will be NEXTHDR_AUTH which is correct but
ipv6_find_hdr will return ENOENT since AH is an extension header
resulting in second fragment getting dropped. This check for the
presence of non-extension header needs to be removed.
Signed-off-by: Rahul Sharma <rsharma@arista.com>
---
net/ipv6/exthdrs_core.c | 13 ++++++-------
1 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c
index 8af3eb5..5949f87 100644
--- a/net/ipv6/exthdrs_core.c
+++ b/net/ipv6/exthdrs_core.c
@@ -171,10 +171,11 @@ EXPORT_SYMBOL_GPL(ipv6_find_tlv);
* If the first fragment doesn't contain the final protocol header or
* NEXTHDR_NONE it is considered invalid.
*
- * Note that non-1st fragment is special case that "the protocol number
- * of last header" is "next header" field in Fragment header. In this case,
- * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
- * isn't NULL.
+ * Note that non-1st fragment is special case that "the protocol number of the
+ * first header of the fragmentable part of the original packet" is
+ * "next header" field in the Fragment header. In this case, *offset is
+ * meaningless and fragment offset is stored in *fragoff if fragoff isn't
+ * NULL.
*
* if flags is not NULL and it's a fragment, then the frag flag
* IP6_FH_F_FRAG will be set. If it's an AH header, the
@@ -250,9 +251,7 @@ int ipv6_find_hdr(const struct sk_buff *skb,
unsigned int *offset,
_frag_off = ntohs(*fp) & ~0x7;
if (_frag_off) {
- if (target < 0 &&
- ((!ipv6_ext_hdr(hp->nexthdr)) ||
- hp->nexthdr == NEXTHDR_NONE)) {
+ if (target < 0) {
if (fragoff)
*fragoff = _frag_off;
return hp->nexthdr;
--
1.7.4.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments
2015-01-09 8:26 [PATCH net v2] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments Rahul Sharma
@ 2015-01-09 9:53 ` YOSHIFUJI Hideaki
2015-01-09 11:31 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: YOSHIFUJI Hideaki @ 2015-01-09 9:53 UTC (permalink / raw)
To: Rahul Sharma, netdev
Cc: hideaki.yoshifuji, linux-kernel, Hannes Frederic Sowa,
netfilter-devel, Pablo Neira Ayuso
Hi,
Rahul Sharma wrote:
> ipv6_find_hdr() currently assumes that the next-header field in the
> fragment header of the non-first fragment is the "protocol number of
> the last header" (here last header excludes any extension header
> protocol numbers ) which is incorrect as per RFC2460. The next-header
> value is the first header of the fragmentable part of the original
> packet (which can be extension header as well).
> This can create reassembly problems. For example: Fragmented
> authenticated OSPFv3 packets (where AH header is inserted before the
> protocol header). For the second fragment, the next header value in
> the fragment header will be NEXTHDR_AUTH which is correct but
> ipv6_find_hdr will return ENOENT since AH is an extension header
> resulting in second fragment getting dropped. This check for the
> presence of non-extension header needs to be removed.
>
> Signed-off-by: Rahul Sharma <rsharma@arista.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
--
Hideaki Yoshifuji <hideaki.yoshifuji@miraclelinux.com>
Technical Division, MIRACLE LINUX CORPORATION
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments
2015-01-09 9:53 ` YOSHIFUJI Hideaki
@ 2015-01-09 11:31 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2015-01-09 11:31 UTC (permalink / raw)
To: Rahul Sharma, netdev
Cc: YOSHIFUJI Hideaki, netdev, linux-kernel, Hannes Frederic Sowa,
netfilter-devel
On Fri, Jan 09, 2015 at 06:53:06PM +0900, YOSHIFUJI Hideaki wrote:
> Hi,
>
> Rahul Sharma wrote:
> >ipv6_find_hdr() currently assumes that the next-header field in the
> >fragment header of the non-first fragment is the "protocol number of
> >the last header" (here last header excludes any extension header
> >protocol numbers ) which is incorrect as per RFC2460. The next-header
> >value is the first header of the fragmentable part of the original
> >packet (which can be extension header as well).
> >This can create reassembly problems. For example: Fragmented
> >authenticated OSPFv3 packets (where AH header is inserted before the
> >protocol header). For the second fragment, the next header value in
> >the fragment header will be NEXTHDR_AUTH which is correct but
> >ipv6_find_hdr will return ENOENT since AH is an extension header
> >resulting in second fragment getting dropped. This check for the
> >presence of non-extension header needs to be removed.
> >
> >Signed-off-by: Rahul Sharma <rsharma@arista.com>
>
> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
I already mentioned this patch will break ip6tables.
And it doesn't make sense to me that you still hit the problem with
nf_defrag_ipv6.
Could you please hold on with this patch until we clarify what the
real undelying problem is? Could you send me a pcap trace?
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-09 11:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-09 8:26 [PATCH net v2] ipv6: Prevent ipv6_find_hdr() from returning ENOENT for valid non-first fragments Rahul Sharma
2015-01-09 9:53 ` YOSHIFUJI Hideaki
2015-01-09 11:31 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.