Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/808998/?format=api
{ "id": 808998, "url": "http://patchwork.ozlabs.org/api/patches/808998/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/20170901210412.2915-3-tom@quantonium.net/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170901210412.2915-3-tom@quantonium.net>", "list_archive_url": null, "date": "2017-09-01T21:04:12", "name": "[v2,net-next,2/2] flow_dissector: Add limit for number of headers to dissect", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "30a43387bac02e23edba625183c855958bde5fce", "submitter": { "id": 72064, "url": "http://patchwork.ozlabs.org/api/people/72064/?format=api", "name": "Tom Herbert", "email": "tom@quantonium.net" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/20170901210412.2915-3-tom@quantonium.net/mbox/", "series": [ { "id": 1115, "url": "http://patchwork.ozlabs.org/api/series/1115/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=1115", "date": "2017-09-01T21:04:10", "name": "flow_dissector: Flow dissector fixes", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/1115/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/808998/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/808998/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=quantonium-net.20150623.gappssmtp.com\n\theader.i=@quantonium-net.20150623.gappssmtp.com\n\theader.b=\"v9hNLW2Y\"; dkim-atps=neutral" ], "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xkWw71lJBz9sNr\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSat, 2 Sep 2017 07:04:55 +1000 (AEST)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752555AbdIAVEx (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 1 Sep 2017 17:04:53 -0400", "from mail-pg0-f51.google.com ([74.125.83.51]:34863 \"EHLO\n\tmail-pg0-f51.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1752416AbdIAVEu (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Fri, 1 Sep 2017 17:04:50 -0400", "by mail-pg0-f51.google.com with SMTP id 63so3622146pgc.2\n\tfor <netdev@vger.kernel.org>; Fri, 01 Sep 2017 14:04:49 -0700 (PDT)", "from localhost.localdomain (67-207-98-108.static.wiline.com.\n\t[67.207.98.108]) by smtp.gmail.com with ESMTPSA id\n\ti187sm1381624pfe.67.2017.09.01.14.04.48\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tFri, 01 Sep 2017 14:04:48 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=quantonium-net.20150623.gappssmtp.com; s=20150623;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references;\n\tbh=+1ualeKvULMUbEw3OrSiFEBAiXgAii9Unci2kyZ/iMo=;\n\tb=v9hNLW2Y49M+OILIz49NOTJeQ3+WEP1W3RQGXr+kFAveRjl5IYJEqRscWjz+hi0aIH\n\tujc5UzjJF1encPC+eaubdcLyumCkWuh7e3A/usrn5+yOiTaueuZtrgRUlYMeRMtbn5CW\n\tbS+NaA4nfbyOv+wGS56IrkWJL9yMo59HT+NnIL6r9ROChCC9Pwccjk21T7bT7lQdtA3z\n\tnOkWWk0CoJWzCSvNZBy/f3Gy+Ichz19GF1VJQxU4iWOwJLpOPdo1MnMDp+QfpK3NOV0s\n\ty3XSL3P8gsFZWKXJTTdwSxtvw55BVLVSflBWXb2Tmih7SMrBlgr+xJpXKNCzguJXXDW9\n\tTe+Q==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=+1ualeKvULMUbEw3OrSiFEBAiXgAii9Unci2kyZ/iMo=;\n\tb=K0G48qnshQ6CO4U6oeO/OU5dfupZIvzDHNPA/sQqWarqorZ24mCFtVW/+2/cxCAn1N\n\tEhGCdMiSXmSnM19cENgiuJad8AnSDroV52Y+Q/QEjWj5VMunDBoTXjmSkDWxteobDSeC\n\tXOZb9/edLZyQ15cxXZoSZbicsVmorpLVADC0g7yTNjrt+5mIPluGXbuGirUFspuIiOzo\n\t68EPE+Dt1NPZGKNdF5k7sTbMUb8KI5bgOxh81EHNtNK3CawAUs8chwDTrqfG8RZOieF+\n\tdukH4BKUIkmQk5nr7Gx7p5+leQsN0AXwHD7loFKmjhr/JmmFeGWHLTwkvu3BpFfAAHvF\n\taoBQ==", "X-Gm-Message-State": "AHPjjUht/q/BY6VBXpT7eGnA94ArGFmS5CMgMX8Y00ta6Jmfxir39V7q\n\tzD+1sgb843NSbUGw", "X-Google-Smtp-Source": "ADKCNb6f2I5n9RJyyNY51MCpxQjYnmXuoea3D+pJQvbYWPQaCXTzQwwk+LWqcsWwyYV+dt3CtHgBtg==", "X-Received": "by 10.99.94.65 with SMTP id s62mr412546pgb.414.1504299889589;\n\tFri, 01 Sep 2017 14:04:49 -0700 (PDT)", "From": "Tom Herbert <tom@quantonium.net>", "To": "davem@davemloft.net", "Cc": "netdev@vger.kernel.org, hannes@stressinduktion.org,\n\talex.popov@linux.com, Tom Herbert <tom@quantonium.net>", "Subject": "[PATCH v2 net-next 2/2] flow_dissector: Add limit for number of\n\theaders to dissect", "Date": "Fri, 1 Sep 2017 14:04:12 -0700", "Message-Id": "<20170901210412.2915-3-tom@quantonium.net>", "X-Mailer": "git-send-email 2.11.0", "In-Reply-To": "<20170901210412.2915-1-tom@quantonium.net>", "References": "<20170901210412.2915-1-tom@quantonium.net>", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "In flow dissector there are no limits to the number of nested\nencapsulations or headers that might be dissected which makes for a\nnice DOS attack. This patch sets a limit of the number of headers\nthat flow dissector will parse.\n\nHeaders includes network layer headers, transport layer headers, shim\nheaders for encapsulation, IPv6 extension headers, etc. The limit for\nmaximum number of headers to parse has be set to fifteen to account for\na reasonable number of encapsulations, extension headers, VLAN,\nin a packet. Note that this limit does not supercede the STOP_AT_*\nflags which may stop processing before the headers limit is reached.\n\nReported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>\nSigned-off-by: Tom Herbert <tom@quantonium.net>\n---\n net/core/flow_dissector.c | 25 ++++++++++++++++++++++---\n 1 file changed, 22 insertions(+), 3 deletions(-)", "diff": "diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c\nindex e0ea17d1c7fc..0a977373d003 100644\n--- a/net/core/flow_dissector.c\n+++ b/net/core/flow_dissector.c\n@@ -396,6 +396,18 @@ __skb_flow_dissect_ipv6(const struct sk_buff *skb,\n \tkey_ip->ttl = iph->hop_limit;\n }\n \n+/* Maximum number of protocol headers that can be parsed in\n+ * __skb_flow_dissect\n+ */\n+#define MAX_FLOW_DISSECT_HDRS\t15\n+\n+static bool skb_flow_dissect_allowed(int *num_hdrs)\n+{\n+\t++*num_hdrs;\n+\n+\treturn (*num_hdrs <= MAX_FLOW_DISSECT_HDRS);\n+}\n+\n /**\n * __skb_flow_dissect - extract the flow_keys struct and return it\n * @skb: sk_buff to extract the flow from, can be NULL if the rest are specified\n@@ -427,6 +439,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,\n \tstruct flow_dissector_key_vlan *key_vlan;\n \tenum flow_dissect_ret fdret;\n \tbool skip_vlan = false;\n+\tint num_hdrs = 0;\n \tu8 ip_proto = 0;\n \tbool ret;\n \n@@ -714,7 +727,9 @@ bool __skb_flow_dissect(const struct sk_buff *skb,\n \tcase FLOW_DISSECT_RET_OUT_GOOD:\n \t\tgoto out_good;\n \tcase FLOW_DISSECT_RET_PROTO_AGAIN:\n-\t\tgoto proto_again;\n+\t\tif (skb_flow_dissect_allowed(&num_hdrs))\n+\t\t\tgoto proto_again;\n+\t\tgoto out_good;\n \tcase FLOW_DISSECT_RET_CONTINUE:\n \tcase FLOW_DISSECT_RET_IPPROTO_AGAIN:\n \t\tbreak;\n@@ -843,9 +858,13 @@ bool __skb_flow_dissect(const struct sk_buff *skb,\n \t/* Process result of IP proto processing */\n \tswitch (fdret) {\n \tcase FLOW_DISSECT_RET_PROTO_AGAIN:\n-\t\tgoto proto_again;\n+\t\tif (skb_flow_dissect_allowed(&num_hdrs))\n+\t\t\tgoto proto_again;\n+\t\tbreak;\n \tcase FLOW_DISSECT_RET_IPPROTO_AGAIN:\n-\t\tgoto ip_proto_again;\n+\t\tif (skb_flow_dissect_allowed(&num_hdrs))\n+\t\t\tgoto ip_proto_again;\n+\t\tbreak;\n \tcase FLOW_DISSECT_RET_OUT_GOOD:\n \tcase FLOW_DISSECT_RET_CONTINUE:\n \t\tbreak;\n", "prefixes": [ "v2", "net-next", "2/2" ] }