* IPsecv6 integrity failures not dropped
@ 2003-04-18 20:17 latten
2003-04-18 21:10 ` David S. Miller
2003-04-19 2:50 ` YOSHIFUJI Hideaki / 吉藤英明
0 siblings, 2 replies; 6+ messages in thread
From: latten @ 2003-04-18 20:17 UTC (permalink / raw)
To: davem, kuznet, netdev; +Cc: linux-kernel
I am running IPSecv6 on 2.5.67 with patch-2.5.67-bk8.
If AH authentication or ESP encryption integrity check for an
incoming packet fails, result is an ICMPv6 Parameter problem
of Unknown-Next-Header, instead of just dropping packet. This
is because xfrm6_rcv() expects an unsigned-8-bit return value
from the input handler, i.e. ah6_input() or esp6_input(). But handler
returns a signed int (-EINVAL) that seems to be getting converted into
a "u8" via 2's complement, because ah6_input() says it is returning
-EINVAL/-22, but xfrm6_rcv() says it got a return value of 234,
which it believes to be valid and passes to ip6_input() who thinks it is
the next header.
I modified ah6_input() and esp6_input() to return zero instead of -EINVAL
in the fix below. I tested it and it works.
Please let me know if this is ok.
Joy
-------------------------------------------------------------------------
--- ah6.c.orig 2003-04-17 16:04:07.000000000 -0500
+++ ah6.c 2003-04-18 14:15:37.000000000 -0500
@@ -212,7 +212,7 @@
free_out:
kfree(tmp_hdr);
out:
- return -EINVAL;
+ return 0;
}
void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
--- esp6.c.orig 2003-04-17 17:07:25.000000000 -0500
+++ esp6.c 2003-04-17 17:08:17.000000000 -0500
@@ -346,7 +346,7 @@
return ret_nexthdr;
out:
- return -EINVAL;
+ return 0;
}
static u32 esp6_get_max_size(struct xfrm_state *x, int mtu)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IPsecv6 integrity failures not dropped
2003-04-18 20:17 IPsecv6 integrity failures not dropped latten
@ 2003-04-18 21:10 ` David S. Miller
2003-04-19 2:12 ` YOSHIFUJI Hideaki / 吉藤英明
2003-04-19 2:50 ` YOSHIFUJI Hideaki / 吉藤英明
1 sibling, 1 reply; 6+ messages in thread
From: David S. Miller @ 2003-04-18 21:10 UTC (permalink / raw)
To: latten; +Cc: kuznet, netdev, linux-kernel
From: latten@austin.ibm.com
Date: Fri, 18 Apr 2003 15:17:04 -0500
I modified ah6_input() and esp6_input() to return zero instead of -EINVAL
in the fix below. I tested it and it works.
Please let me know if this is ok.
I think it would be better if ipv6's upper-layer interface worked
like ipv4's. ie. a < 0 return value means:
next_proto =- ret;
goto resubmit;
The less that is different between ipv4/ipv6 the better.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IPsecv6 integrity failures not dropped
2003-04-18 21:10 ` David S. Miller
@ 2003-04-19 2:12 ` YOSHIFUJI Hideaki / 吉藤英明
2003-04-19 2:17 ` YOSHIFUJI Hideaki / 吉藤英明
0 siblings, 1 reply; 6+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2003-04-19 2:12 UTC (permalink / raw)
To: davem; +Cc: latten, kuznet, netdev, linux-kernel
In article <20030418.141014.17269641.davem@redhat.com> (at Fri, 18 Apr 2003 14:10:14 -0700 (PDT)), "David S. Miller" <davem@redhat.com> says:
> I think it would be better if ipv6's upper-layer interface worked
> like ipv4's. ie. a < 0 return value means:
>
> next_proto =- ret;
> goto resubmit;
NO! Please, don't do this again (for now, at least).
This idea is what we had introduced the bug,
that was fixed by "[IPV6]: Fixed multiple mistake extension header handling."
We need to get the offset of the next header, in addition to the value
itself.
inet6_protocol function will return:
> 0: more header(s) follows; next header is pointed by skb->nh.raw[nhoff]
= 0: stop parsing on success; increment the statistics (nhoff is undefined)
< 0: stop parsing on failure (nhoff is undefined)
If upper-layer returns positive value, we continue parsing.
Then, if the skb->nh.raw[nhoff] is unknown, we send back the parameter problem
message with the offset to the unrecognized next header field.
> The less that is different between ipv4/ipv6 the better.
Agreed, but please note that IPv4 side would be required to be changed
in general.
Well...
1) May we have a new member to point the offset of the next header in
ipv6_pinfo{}?
Then, we can remove *nhoffp from argument of inet6_protocol function.
(We will be cleaner handing of HbH option, too.)
2) change IPv4 upperlayer function to take struct sk_buff **.
If you are not in hurry, I'll take care of this.
--
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF 80D8 4807 F894 E062 0EEA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IPsecv6 integrity failures not dropped
2003-04-19 2:12 ` YOSHIFUJI Hideaki / 吉藤英明
@ 2003-04-19 2:17 ` YOSHIFUJI Hideaki / 吉藤英明
0 siblings, 0 replies; 6+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2003-04-19 2:17 UTC (permalink / raw)
To: davem; +Cc: latten, kuznet, netdev, linux-kernel
In article <20030419.111238.07385967.yoshfuji@wide.ad.jp> (at Sat, 19 Apr 2003 11:12:38 +0900 (JST)), YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@wide.ad.jp> says:
> > 0: more header(s) follows; next header is pointed by skb->nh.raw[nhoff]
next header is pointed by nhoff (which means, the next header is skb->nh.raw[nhoff])
--
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF 80D8 4807 F894 E062 0EEA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IPsecv6 integrity failures not dropped
2003-04-18 20:17 IPsecv6 integrity failures not dropped latten
2003-04-18 21:10 ` David S. Miller
@ 2003-04-19 2:50 ` YOSHIFUJI Hideaki / 吉藤英明
2003-04-20 3:35 ` David S. Miller
1 sibling, 1 reply; 6+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2003-04-19 2:50 UTC (permalink / raw)
To: latten; +Cc: davem, kuznet, netdev, linux-kernel
In article <200304182017.h3IKH4ng019821@faith.austin.ibm.com> (at Fri, 18 Apr 2003 15:17:04 -0500), latten@austin.ibm.com says:
> incoming packet fails, result is an ICMPv6 Parameter problem
> of Unknown-Next-Header, instead of just dropping packet. This
> is because xfrm6_rcv() expects an unsigned-8-bit return value
> from the input handler, i.e. ah6_input() or esp6_input(). But handler
> returns a signed int (-EINVAL) that seems to be getting converted into
> a "u8" via 2's complement, because ah6_input() says it is returning
> -EINVAL/-22, but xfrm6_rcv() says it got a return value of 234,
> which it believes to be valid and passes to ip6_input() who thinks it is
> the next header.
>
> I modified ah6_input() and esp6_input() to return zero instead of -EINVAL
> in the fix below. I tested it and it works.
just change u8 nexthdr = 0 to int nexthdr = 0, in xfrm6_rcv() is fine,
isn't it?
--
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF 80D8 4807 F894 E062 0EEA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IPsecv6 integrity failures not dropped
2003-04-19 2:50 ` YOSHIFUJI Hideaki / 吉藤英明
@ 2003-04-20 3:35 ` David S. Miller
0 siblings, 0 replies; 6+ messages in thread
From: David S. Miller @ 2003-04-20 3:35 UTC (permalink / raw)
To: yoshfuji; +Cc: latten, kuznet, netdev, linux-kernel
From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@wide.ad.jp>
Date: Sat, 19 Apr 2003 11:50:53 +0900 (JST)
just change u8 nexthdr = 0 to int nexthdr = 0, in xfrm6_rcv() is fine,
isn't it?
That's exactly the most correct fix, applied to my tree.
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-04-20 3:31 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-04-18 20:17 IPsecv6 integrity failures not dropped latten
2003-04-18 21:10 ` David S. Miller
2003-04-19 2:12 ` YOSHIFUJI Hideaki / 吉藤英明
2003-04-19 2:17 ` YOSHIFUJI Hideaki / 吉藤英明
2003-04-19 2:50 ` YOSHIFUJI Hideaki / 吉藤英明
2003-04-20 3:35 ` David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).