From: Ido Schimmel <idosch@idosch.org> To: netdev@vger.kernel.org, bridge@lists.linux-foundation.org Cc: davem@davemloft.net, kuba@kernel.org, roopa@cumulusnetworks.com, nikolay@cumulusnetworks.com, dlstevens@us.ibm.com, allas@mellanox.com, mlxsw@mellanox.com, Ido Schimmel <idosch@mellanox.com> Subject: [PATCH net 2/2] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Date: Mon, 1 Jun 2020 15:58:55 +0300 [thread overview] Message-ID: <20200601125855.1751343-3-idosch@idosch.org> (raw) In-Reply-To: <20200601125855.1751343-1-idosch@idosch.org> From: Ido Schimmel <idosch@mellanox.com> When proxy mode is enabled the vxlan device might reply to Neighbor Solicitation (NS) messages on behalf of remote hosts. In case the NS message includes the "Source link-layer address" option [1], the vxlan device will use the specified address as the link-layer destination address in its reply. To avoid an infinite loop, break out of the options parsing loop when encountering an option with length zero and disregard the NS message. This is consistent with the IPv6 ndisc code and RFC 4886 which states that "Nodes MUST silently discard an ND packet that contains an option with length zero" [2]. [1] https://tools.ietf.org/html/rfc4861#section-4.3 [2] https://tools.ietf.org/html/rfc4861#section-4.6 Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()") Signed-off-by: Ido Schimmel <idosch@mellanox.com> --- drivers/net/vxlan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index a5b415fed11e..779e56c43d27 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1924,6 +1924,10 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request, ns_olen = request->len - skb_network_offset(request) - sizeof(struct ipv6hdr) - sizeof(*ns); for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) { + if (!ns->opt[i + 1]) { + kfree_skb(reply); + return NULL; + } if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) { daddr = ns->opt + i + sizeof(struct nd_opt_hdr); break; -- 2.26.2
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@idosch.org> To: netdev@vger.kernel.org, bridge@lists.linux-foundation.org Cc: mlxsw@mellanox.com, nikolay@cumulusnetworks.com, roopa@cumulusnetworks.com, dlstevens@us.ibm.com, Ido Schimmel <idosch@mellanox.com>, allas@mellanox.com, kuba@kernel.org, davem@davemloft.net Subject: [Bridge] [PATCH net 2/2] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Date: Mon, 1 Jun 2020 15:58:55 +0300 [thread overview] Message-ID: <20200601125855.1751343-3-idosch@idosch.org> (raw) In-Reply-To: <20200601125855.1751343-1-idosch@idosch.org> From: Ido Schimmel <idosch@mellanox.com> When proxy mode is enabled the vxlan device might reply to Neighbor Solicitation (NS) messages on behalf of remote hosts. In case the NS message includes the "Source link-layer address" option [1], the vxlan device will use the specified address as the link-layer destination address in its reply. To avoid an infinite loop, break out of the options parsing loop when encountering an option with length zero and disregard the NS message. This is consistent with the IPv6 ndisc code and RFC 4886 which states that "Nodes MUST silently discard an ND packet that contains an option with length zero" [2]. [1] https://tools.ietf.org/html/rfc4861#section-4.3 [2] https://tools.ietf.org/html/rfc4861#section-4.6 Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()") Signed-off-by: Ido Schimmel <idosch@mellanox.com> --- drivers/net/vxlan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index a5b415fed11e..779e56c43d27 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1924,6 +1924,10 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request, ns_olen = request->len - skb_network_offset(request) - sizeof(struct ipv6hdr) - sizeof(*ns); for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) { + if (!ns->opt[i + 1]) { + kfree_skb(reply); + return NULL; + } if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) { daddr = ns->opt + i + sizeof(struct nd_opt_hdr); break; -- 2.26.2
next prev parent reply other threads:[~2020-06-01 12:59 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-06-01 12:58 [PATCH net 0/2] Fix infinite loop in bridge and vxlan modules Ido Schimmel 2020-06-01 12:58 ` [Bridge] " Ido Schimmel 2020-06-01 12:58 ` [PATCH net 1/2] bridge: Avoid infinite loop when suppressing NS messages with invalid options Ido Schimmel 2020-06-01 12:58 ` [Bridge] " Ido Schimmel 2020-06-01 13:02 ` Nikolay Aleksandrov 2020-06-01 13:02 ` [Bridge] " Nikolay Aleksandrov 2020-06-01 12:58 ` Ido Schimmel [this message] 2020-06-01 12:58 ` [Bridge] [PATCH net 2/2] vxlan: " Ido Schimmel 2020-06-01 13:02 ` Nikolay Aleksandrov 2020-06-01 13:02 ` [Bridge] " Nikolay Aleksandrov 2020-06-01 18:09 ` [PATCH net 0/2] Fix infinite loop in bridge and vxlan modules David Miller 2020-06-01 18:09 ` [Bridge] " David Miller
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200601125855.1751343-3-idosch@idosch.org \ --to=idosch@idosch.org \ --cc=allas@mellanox.com \ --cc=bridge@lists.linux-foundation.org \ --cc=davem@davemloft.net \ --cc=dlstevens@us.ibm.com \ --cc=idosch@mellanox.com \ --cc=kuba@kernel.org \ --cc=mlxsw@mellanox.com \ --cc=netdev@vger.kernel.org \ --cc=nikolay@cumulusnetworks.com \ --cc=roopa@cumulusnetworks.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.