From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0270BC43381 for ; Mon, 25 Feb 2019 16:27:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C6D6520684 for ; Mon, 25 Feb 2019 16:27:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="NmWxA3pd" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727883AbfBYQ1V (ORCPT ); Mon, 25 Feb 2019 11:27:21 -0500 Received: from forward500j.mail.yandex.net ([5.45.198.250]:59511 "EHLO forward500j.mail.yandex.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727684AbfBYQ1V (ORCPT ); Mon, 25 Feb 2019 11:27:21 -0500 Received: from mxback2g.mail.yandex.net (mxback2g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:163]) by forward500j.mail.yandex.net (Yandex) with ESMTP id 175D911C17D9; Mon, 25 Feb 2019 19:27:17 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback2g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id gvUJQ4aZ97-RFDOCxVO; Mon, 25 Feb 2019 19:27:16 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1551112036; bh=I36IfuBbAjK63QKcpNfB6EubHF/EMuJvQ34Xoh7GZCk=; h=Message-Id:Cc:Subject:In-Reply-To:Date:References:To:From; b=NmWxA3pdb+vDZyf7XeDtxBCTccdOtWBx7MaJAnL83X/IcfuhXj3YzQf+VpQABQOLr ME0Y+sn1eGh+YxTVmGhVRYL3jn27sOyK9dy1UwhvSLuErJWkqN5UOe9om6LKm/kJgi XbYP1XJXmOSypAKdMjotFIMf/ME6kMAXulgDOmr4= Authentication-Results: mxback2g.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by myt2-dc4bba9bb23c.qloud-c.yandex.net with HTTP; Mon, 25 Feb 2019 19:27:15 +0300 From: Nazarov Sergey To: David Miller Cc: "paul@paul-moore.com" , "netdev@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "kuznet@ms2.inr.ac.ru" , "yoshfuji@linux-ipv6.org" In-Reply-To: <20190224.173328.1032826011262803545.davem@davemloft.net> References: <20190218.172544.1436352995315454863.davem@davemloft.net> <8873761550853329@myt6-67cd1de25d8a.qloud-c.yandex.net> <33533951550857169@myt3-2475c4d2af83.qloud-c.yandex.net> <20190224.173328.1032826011262803545.davem@davemloft.net> Subject: [PATCH v2 2/2] NETWORKING: avoid use IPCB in cipso_v4_error MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 25 Feb 2019 19:27:15 +0300 Message-Id: <3666661551112035@myt2-dc4bba9bb23c.qloud-c.yandex.net> Content-Transfer-Encoding: 7bit Content-Type: text/plain Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Extract IP options in cipso_v4_error and use __icmp_send. Signed-off-by: Sergey Nazarov --- include/net/ip.h | 2 ++ net/ipv4/cipso_ipv4.c | 17 +++++++++++++++-- net/ipv4/ip_options.c | 22 +++++++++++++++++----- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/include/net/ip.h b/include/net/ip.h index 8866bfc..f0e8d06 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -667,6 +667,8 @@ static inline int ip_options_echo(struct net *net, struct ip_options *dopt, } void ip_options_fragment(struct sk_buff *skb); +int __ip_options_compile(struct net *net, struct ip_options *opt, + struct sk_buff *skb, __be32 *info); int ip_options_compile(struct net *net, struct ip_options *opt, struct sk_buff *skb); int ip_options_get(struct net *net, struct ip_options_rcu **optp, diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 777fa3b..eff86a7 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -1735,13 +1735,26 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) */ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) { + unsigned char optbuf[sizeof(struct ip_options) + 40]; + struct ip_options *opt = (struct ip_options *)optbuf; + if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES) return; + /* + * We might be called above the IP layer, + * so we can not use icmp_send and IPCB here. + */ + + memset(opt, 0, sizeof(struct ip_options)); + opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); + if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL)) + return; + if (gateway) - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0); + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt); else - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0); + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt); } /** diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c index ed194d4..32a3504 100644 --- a/net/ipv4/ip_options.c +++ b/net/ipv4/ip_options.c @@ -251,8 +251,9 @@ static void spec_dst_fill(__be32 *spec_dst, struct sk_buff *skb) * If opt == NULL, then skb->data should point to IP header. */ -int ip_options_compile(struct net *net, - struct ip_options *opt, struct sk_buff *skb) +int __ip_options_compile(struct net *net, + struct ip_options *opt, struct sk_buff *skb, + __be32 *info) { __be32 spec_dst = htonl(INADDR_ANY); unsigned char *pp_ptr = NULL; @@ -468,11 +469,22 @@ int ip_options_compile(struct net *net, return 0; error: - if (skb) { - icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24)); - } + if (info) + *info = htonl((pp_ptr-iph)<<24); return -EINVAL; } + +int ip_options_compile(struct net *net, + struct ip_options *opt, struct sk_buff *skb) +{ + int ret; + __be32 info; + + ret = __ip_options_compile(net, opt, skb, &info); + if (ret != 0 && skb) + icmp_send(skb, ICMP_PARAMETERPROB, 0, info); + return ret; +} EXPORT_SYMBOL(ip_options_compile); /* ---