linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Richard Weinberger <richard@nod.at>
To: Florian Westphal <fw@strlen.de>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	David Miller <davem@davemloft.net>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	David Gstir <david@sigma-star.at>,
	kaber@trash.net, "keescook@chromium.org" <keescook@chromium.org>
Subject: Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID
Date: Fri, 30 Jun 2017 22:23:24 +0200	[thread overview]
Message-ID: <ad87cf0f-2ff4-48d7-b53c-bc4b5e98cfca@nod.at> (raw)
In-Reply-To: <20170630195547.GN9307@breakpoint.cc>

Florian,

Am 30.06.2017 um 21:55 schrieb Florian Westphal:
>>> Why not use a hash of the address?
>>
>> Would also work. Or xor it with a random number.
>>
>> On the other hand, for user space it would be more useful when the conntrack id
>> does not repeat that often. That's why I favor the good old counter method.
>> Currently the conntrack id is reused very fast.
>> e.g. in one of our applications we use the conntack id via NFQUEUE and watch the
>> destroy events via conntrack. It happens regularly that a new connection has the
>> same id than a different connection we saw some moments before, before we receive
>> the destroy event from the conntrack socket.
> 
> Perhaps we can place that in a new extension (its not needed in any
> fastpath ops)?

To get rid of the infoleak we have to re-introduce the id field in struct nf_conn
and struct nf_conntrack_expect.
Otherwise have nothing to compare against in the conntrack/expect remove case.

So the only question is what to store, IMHO a counter that can wrap around is the
cheapest method and would also not harm the fast-path.

Thanks,
//richard

  reply	other threads:[~2017-06-30 20:23 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-30 19:25 nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID Richard Weinberger
2017-06-30 19:35 ` Florian Westphal
2017-06-30 19:45   ` Richard Weinberger
2017-06-30 19:55     ` Florian Westphal
2017-06-30 20:23       ` Richard Weinberger [this message]
2017-07-01  9:44         ` Pablo Neira Ayuso
2017-07-01 10:35         ` Florian Westphal
2017-07-12 21:26           ` Richard Weinberger
2017-07-12 22:19             ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ad87cf0f-2ff4-48d7-b53c-bc4b5e98cfca@nod.at \
    --to=richard@nod.at \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=david@sigma-star.at \
    --cc=fw@strlen.de \
    --cc=kaber@trash.net \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).