From: David Miller <davem@davemloft.net>
To: lucien.xin@gmail.com
Cc: netdev@vger.kernel.org, edumazet@google.com,
marcelo.leitner@gmail.com, sd@queasysnail.net
Subject: Re: [PATCH net 0/2] net: diag: fix a potential security issue
Date: Sat, 21 Oct 2017 12:14:10 +0100 (WEST) [thread overview]
Message-ID: <20171021.121410.701233686946304734.davem@davemloft.net> (raw)
In-Reply-To: <CADvbK_fWmmC3ggpoT--Pxk3GxZ8Gq_rbdFGTuXk-BuTHTO=eXw@mail.gmail.com>
From: Xin Long <lucien.xin@gmail.com>
Date: Sat, 21 Oct 2017 14:06:27 +0800
> Imagine a customer generates a sosreport on their system, and
> with that, it loads sctp module. From then on, if their firewall
> doesn't block incoming packets for sctp, they may be prone to some
> remotely triggerable issue on sctp code, without even actually using
> sctp.
Like I said, if the protocol is so unsafe, block it in the
modules.conf file.
Block all "I don't use this" protocols in netfilter.
Otherwise, like I said, any user on their system can open a socket of
the indicated protocol.
There are many options.
Furthermore, "ss" should not signal an error because the protocol
module happens to not be open yet and as I understand it this is what
your patch does since it chooses to not load the module in this
situation.
prev parent reply other threads:[~2017-10-21 11:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 7:32 [PATCH net 0/2] net: diag: fix a potential security issue Xin Long
2017-10-19 7:32 ` [PATCH net 1/2] sock_diag: request _diag module only when the family has been registered Xin Long
2017-10-19 7:32 ` [PATCH net 2/2] inet_diag: request _diag module only when the proto " Xin Long
2017-10-21 1:27 ` [PATCH net 0/2] net: diag: fix a potential security issue David Miller
[not found] ` <CADvbK_fWmmC3ggpoT--Pxk3GxZ8Gq_rbdFGTuXk-BuTHTO=eXw@mail.gmail.com>
2017-10-21 6:18 ` Eric Dumazet
2017-10-21 6:51 ` Xin Long
2017-10-21 7:45 ` Eric Dumazet
2017-10-21 8:45 ` Xin Long
2017-10-21 9:45 ` Xin Long
2017-10-21 11:16 ` David Miller
2017-10-21 11:14 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171021.121410.701233686946304734.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.