From: Ido Schimmel <idosch@idosch.org>
To: netdev@vger.kernel.org, bridge@lists.linux-foundation.org
Cc: davem@davemloft.net, kuba@kernel.org, roopa@cumulusnetworks.com,
nikolay@cumulusnetworks.com, dlstevens@us.ibm.com,
allas@mellanox.com, mlxsw@mellanox.com,
Ido Schimmel <idosch@mellanox.com>
Subject: [PATCH net 2/2] vxlan: Avoid infinite loop when suppressing NS messages with invalid options
Date: Mon, 1 Jun 2020 15:58:55 +0300 [thread overview]
Message-ID: <20200601125855.1751343-3-idosch@idosch.org> (raw)
In-Reply-To: <20200601125855.1751343-1-idosch@idosch.org>
From: Ido Schimmel <idosch@mellanox.com>
When proxy mode is enabled the vxlan device might reply to Neighbor
Solicitation (NS) messages on behalf of remote hosts.
In case the NS message includes the "Source link-layer address" option
[1], the vxlan device will use the specified address as the link-layer
destination address in its reply.
To avoid an infinite loop, break out of the options parsing loop when
encountering an option with length zero and disregard the NS message.
This is consistent with the IPv6 ndisc code and RFC 4886 which states
that "Nodes MUST silently discard an ND packet that contains an option
with length zero" [2].
[1] https://tools.ietf.org/html/rfc4861#section-4.3
[2] https://tools.ietf.org/html/rfc4861#section-4.6
Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
---
drivers/net/vxlan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index a5b415fed11e..779e56c43d27 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1924,6 +1924,10 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request,
ns_olen = request->len - skb_network_offset(request) -
sizeof(struct ipv6hdr) - sizeof(*ns);
for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
+ if (!ns->opt[i + 1]) {
+ kfree_skb(reply);
+ return NULL;
+ }
if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
break;
--
2.26.2
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@idosch.org>
To: netdev@vger.kernel.org, bridge@lists.linux-foundation.org
Cc: mlxsw@mellanox.com, nikolay@cumulusnetworks.com,
roopa@cumulusnetworks.com, dlstevens@us.ibm.com,
Ido Schimmel <idosch@mellanox.com>,
allas@mellanox.com, kuba@kernel.org, davem@davemloft.net
Subject: [Bridge] [PATCH net 2/2] vxlan: Avoid infinite loop when suppressing NS messages with invalid options
Date: Mon, 1 Jun 2020 15:58:55 +0300 [thread overview]
Message-ID: <20200601125855.1751343-3-idosch@idosch.org> (raw)
In-Reply-To: <20200601125855.1751343-1-idosch@idosch.org>
From: Ido Schimmel <idosch@mellanox.com>
When proxy mode is enabled the vxlan device might reply to Neighbor
Solicitation (NS) messages on behalf of remote hosts.
In case the NS message includes the "Source link-layer address" option
[1], the vxlan device will use the specified address as the link-layer
destination address in its reply.
To avoid an infinite loop, break out of the options parsing loop when
encountering an option with length zero and disregard the NS message.
This is consistent with the IPv6 ndisc code and RFC 4886 which states
that "Nodes MUST silently discard an ND packet that contains an option
with length zero" [2].
[1] https://tools.ietf.org/html/rfc4861#section-4.3
[2] https://tools.ietf.org/html/rfc4861#section-4.6
Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
---
drivers/net/vxlan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index a5b415fed11e..779e56c43d27 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1924,6 +1924,10 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request,
ns_olen = request->len - skb_network_offset(request) -
sizeof(struct ipv6hdr) - sizeof(*ns);
for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
+ if (!ns->opt[i + 1]) {
+ kfree_skb(reply);
+ return NULL;
+ }
if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
break;
--
2.26.2
next prev parent reply other threads:[~2020-06-01 12:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-01 12:58 [PATCH net 0/2] Fix infinite loop in bridge and vxlan modules Ido Schimmel
2020-06-01 12:58 ` [Bridge] " Ido Schimmel
2020-06-01 12:58 ` [PATCH net 1/2] bridge: Avoid infinite loop when suppressing NS messages with invalid options Ido Schimmel
2020-06-01 12:58 ` [Bridge] " Ido Schimmel
2020-06-01 13:02 ` Nikolay Aleksandrov
2020-06-01 13:02 ` [Bridge] " Nikolay Aleksandrov
2020-06-01 12:58 ` Ido Schimmel [this message]
2020-06-01 12:58 ` [Bridge] [PATCH net 2/2] vxlan: " Ido Schimmel
2020-06-01 13:02 ` Nikolay Aleksandrov
2020-06-01 13:02 ` [Bridge] " Nikolay Aleksandrov
2020-06-01 18:09 ` [PATCH net 0/2] Fix infinite loop in bridge and vxlan modules David Miller
2020-06-01 18:09 ` [Bridge] " David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200601125855.1751343-3-idosch@idosch.org \
--to=idosch@idosch.org \
--cc=allas@mellanox.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=dlstevens@us.ibm.com \
--cc=idosch@mellanox.com \
--cc=kuba@kernel.org \
--cc=mlxsw@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=roopa@cumulusnetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.