From: Cong Wang <xiyou.wangcong@gmail.com>
To: saeedm@dev.mellanox.co.il
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
Tariq Toukan <tariqt@mellanox.com>,
Saeed Mahameed <saeedm@mellanox.com>
Subject: Re: [Patch net] mlx5: check for malformed packets
Date: Tue, 4 Dec 2018 12:21:42 -0800 [thread overview]
Message-ID: <CAM_iQpWr+9+2q4zzaYrYWB=Pu9eKeiUrnAQ-pRvvhQauHdv7Dw@mail.gmail.com> (raw)
In-Reply-To: <CALzJLG9EhopwN2TwWLBd8cKgZrPYBgaQBMvZ_a6=RtNkpp74=w@mail.gmail.com>
On Tue, Dec 4, 2018 at 11:33 AM Saeed Mahameed
<saeedm@dev.mellanox.co.il> wrote:
>
> On Sat, Dec 1, 2018 at 12:38 PM Cong Wang <xiyou.wangcong@gmail.com> wrote:
> >
> > is_last_ethertype_ip() is used to check IP/IPv6 protocol before
> > parsing IP/IPv6 headers.
> >
> > But __vlan_get_protocol() is only bound to skb->len, a malicious
> > packet could exhaust all skb->len by inserting sufficient ETH_P_8021AD
> > headers, and it may not even contain an IP/IPv6 header at all, so we
> > have to check if we are still safe to continue to parse IP/IPv6 header.
> > If not, treat it as non-IP packet.
> >
> > This should not cause any crash as we stil have tail room in skb,
> > but we can't just rely on it either.
>
> Hi Cong, is this reproducible or just a theory ? which part of the
> code you think will cause the invalid access or crash ?
Since you don't even read into my changelog, here it is:
"This should not cause any crash as we stil have tail room in skb,
but we can't just rely on it either."
As I already explained to you in a private email, when we
reference whatever field in struct iphdr, we have to make sure
the offset of that field is within skb->len.
> do you have steps to reproduce this?
>
Again, you really have to read the changelog I wrote:
"a malicious
packet could exhaust all skb->len by inserting sufficient ETH_P_8021AD
headers, and it may not even contain an IP/IPv6 header at all, "
> I would like to investigate this myself, it will take a couple of days
> if that's ok with you ..
Sure, take your time. I am sending the patch only for showing
the problem, NOT to merge.
Let's discard it anyway. I am wasting my time.
Thanks.
next prev parent reply other threads:[~2018-12-04 20:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-01 20:38 [Patch net] mlx5: check for malformed packets Cong Wang
2018-12-02 8:56 ` Tariq Toukan
2018-12-03 5:11 ` Cong Wang
2018-12-03 18:15 ` Cong Wang
2018-12-03 18:39 ` Cong Wang
2018-12-04 19:28 ` Saeed Mahameed
2018-12-04 20:17 ` Cong Wang
2018-12-04 19:32 ` Saeed Mahameed
2018-12-04 20:21 ` Cong Wang [this message]
2018-12-05 1:16 ` Saeed Mahameed
2018-12-05 2:12 ` Cong Wang
2018-12-04 20:23 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAM_iQpWr+9+2q4zzaYrYWB=Pu9eKeiUrnAQ-pRvvhQauHdv7Dw@mail.gmail.com' \
--to=xiyou.wangcong@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=saeedm@dev.mellanox.co.il \
--cc=saeedm@mellanox.com \
--cc=tariqt@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.