From: Huw Davies <huw@codeweavers.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov, Paul Moore <pmoore@redhat.com>
Subject: Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.
Date: Tue, 22 Dec 2015 16:59:19 +0000 [thread overview]
Message-ID: <20151222165919.GA31791@merlot> (raw)
In-Reply-To: <5679551C.4000105@stressinduktion.org>
On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 12:46, Huw Davies wrote:
> >
> > +/* CALIPSO RFC 5570 */
> > +
> > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
> > +{
> > + const unsigned char *nh = skb_network_header(skb);
> > +
> > + if (nh[optoff + 1] < 8)
> > + goto drop;
> > +
> > + if (nh[optoff + 6] * 4 + 8 > nh[optoff + 1])
> > + goto drop;
> > +
> > + if (!calipso_validate(skb, nh + optoff))
> > + goto drop;
> > +
> > + return true;
> > +
> > +drop:
> > + kfree_skb(skb);
> > + return false;
> > +}
> > +
>
> Formally, if an extension header could not be processed, the packet
> should be discarded and an icmp error parameter extension should be
> send. I think we shouldn't let those packets pass here.
Thanks for your comments Hannes, I'm looking into your other
suggestions.
I'm confused about this one. AFAICS, this will drop packets that we
can't process. We don't send the icmp error, but I can certainly add
that. Is that what you mean?
Thanks,
Huw.
next prev parent reply other threads:[~2015-12-22 16:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-22 11:46 [RFC PATCH 16/17] calipso: Add validation of CALIPSO option Huw Davies
2015-12-22 13:50 ` Hannes Frederic Sowa
2015-12-22 16:59 ` Huw Davies [this message]
2015-12-22 21:47 ` Hannes Frederic Sowa
2015-12-22 22:29 ` Huw Davies
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151222165919.GA31791@merlot \
--to=huw@codeweavers.com \
--cc=hannes@stressinduktion.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).