From patchwork Sun Dec  9 05:43:23 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Neal Cardwell <ncardwell@google.com>
X-Patchwork-Id: 204689
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 058062C01FB
	for <patchwork-incoming@ozlabs.org>;
	Sun,  9 Dec 2012 16:43:39 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756513Ab2LIFnd (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sun, 9 Dec 2012 00:43:33 -0500
Received: from mail-bk0-f74.google.com ([209.85.214.74]:39495 "EHLO
	mail-bk0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756506Ab2LIFnb (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sun, 9 Dec 2012 00:43:31 -0500
Received: by mail-bk0-f74.google.com with SMTP id je9so107127bkc.1
	for <netdev@vger.kernel.org>; Sat, 08 Dec 2012 21:43:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references;
	bh=KnZtGh1tcFZ0bqWeUjVVadKRcblBVZIrbHbImFnH1pw=;
	b=R6KDkf5QovT4hETMW2IGL39rba42A08/4dakS+ZtijY8oJzHzLgv2Ud++4qBn958Qt
	qy5KMlY0ox73Rlr/GBtyNNxesI+5OEMzaMDQ4FtNdgy/BaAOQAjiJzM2+U5ua0su5zlM
	O4efXcI0/hu7lj53vlYsDgZbg7GmiT2W10/FNH0r+Xal/0Axt0O5FzxmV3pWH5FyiaL2
	REoewy/IU7BLPqQoa8OO/A5LnnHaErtO5k6Kt6bXssfUSnyKCinVYvywOE/SGjJJx20B
	NtabOyPf/kTjD7EC5G8HcedUWM4GrinXdhJtX+QpV1t7MRkzxcdfA+W6DVRZ3q92ryQw
	nhEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
	:x-gm-message-state;
	bh=KnZtGh1tcFZ0bqWeUjVVadKRcblBVZIrbHbImFnH1pw=;
	b=Zs6Lyig7JYwfYV5QPmueIbMrmF7tk1DMP2TM9TjPoAC8f4ZjVUbw+nDwRbfxqq8SbJ
	X4UZw5SDC1cG2W/j8PJ5HzfascVPDQ5pJoaS/lHSB9PkOyJ5tWjo6as/RK8us4wCm4KH
	XpAGK3DmUeLsnh2Accyk1DQV+31vVY9TRve2Ik7s4653GjL/mGNpILzPX/l8rx/FZU+d
	RxF/K8mRMiNXC0Mm024Wa9DDoFfvfwQxIrNdMbzf3CZduh6wGiGQd20TPR9S0r+7dr/C
	bSYBEgBHwH2aN7d+8G+wAvuCbTDSOh8OW5zOPNE6appARokeIeYAbwabvsypW53hSccL
	gcWg==
Received: by 10.14.204.199 with SMTP id h47mr9853624eeo.4.1355031811182;
	Sat, 08 Dec 2012 21:43:31 -0800 (PST)
Received: from hpza10.eem.corp.google.com ([74.125.121.33])
	by gmr-mx.google.com with ESMTPS id
	g9si5306536eeo.1.2012.12.08.21.43.31
	(version=TLSv1/SSLv3 cipher=AES128-SHA);
	Sat, 08 Dec 2012 21:43:31 -0800 (PST)
Received: from coy.nyc.corp.google.com (coy.nyc.corp.google.com
	[172.26.105.221])
	by hpza10.eem.corp.google.com (Postfix) with ESMTP id DDBAC20004E;
	Sat,  8 Dec 2012 21:43:30 -0800 (PST)
Received: by coy.nyc.corp.google.com (Postfix, from userid 4318)
	id 7634D1C0D86; Sun,  9 Dec 2012 00:43:30 -0500 (EST)
From: Neal Cardwell <ncardwell@google.com>
To: David Miller <davem@davemloft.net>
Cc: edumazet@google.com, netdev@vger.kernel.org,
	Neal Cardwell <ncardwell@google.com>
Subject: [PATCH net 3/3] inet_diag: avoid unsafe and nonsensical prefix
	matches in inet_diag_bc_run()
Date: Sun,  9 Dec 2012 00:43:23 -0500
Message-Id: <1355031803-14547-3-git-send-email-ncardwell@google.com>
X-Mailer: git-send-email 1.7.7.3
In-Reply-To: <1355031803-14547-1-git-send-email-ncardwell@google.com>
References: <1355031803-14547-1-git-send-email-ncardwell@google.com>
X-Gm-Message-State: 
 ALoCoQmeEr14oXmFH0GKcLmBP9mRwTvaMDIdBZFMvl1XyGXAk9IzqXVXzHainSSg7AJGuIfo2eTyXX51L/cOcslRCRWQ6JX04Gk56pHA5WiqpG7gZlaAFQYdKoWx/k6zyv9dIauhqBha0RAweB427dH9AeMxig1+rlW2pSkL44PuKVCghkT6mJT1hbbd6fR7iUdqd/m57cRC
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Add logic to check the address family of the user-supplied conditional
and the address family of the connection entry. We now do not do
prefix matching of addresses from different address families (AF_INET
vs AF_INET6), except for the previously existing support for having an
IPv4 prefix match an IPv4-mapped IPv6 address (which this commit
maintains as-is).

This change is needed for two reasons:

(1) The addresses are different lengths, so comparing a 128-bit IPv6
prefix match condition to a 32-bit IPv4 connection address can cause
us to unwittingly walk off the end of the IPv4 address and read
garbage or oops.

(2) The IPv4 and IPv6 address spaces are semantically distinct, so a
simple bit-wise comparison of the prefixes is not meaningful, and
would lead to bogus results (except for the IPv4-mapped IPv6 case,
which this commit maintains).

Signed-off-by: Neal Cardwell <ncardwell@google.com>
---
 net/ipv4/inet_diag.c |   28 +++++++++++++++++-----------
 1 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 529747d..95f1a45 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -432,25 +432,31 @@ static int inet_diag_bc_run(const struct nlattr *_bc,
 				break;
 			}
 
-			if (cond->prefix_len == 0)
-				break;
-
 			if (op->code == INET_DIAG_BC_S_COND)
 				addr = entry->saddr;
 			else
 				addr = entry->daddr;
 
+			if (cond->family != AF_UNSPEC &&
+			    cond->family != entry->family) {
+				if (entry->family == AF_INET6 &&
+				    cond->family == AF_INET) {
+					if (addr[0] == 0 && addr[1] == 0 &&
+					    addr[2] == htonl(0xffff) &&
+					    bitstring_match(addr + 3,
+							    cond->addr,
+							    cond->prefix_len))
+						break;
+				}
+				yes = 0;
+				break;
+			}
+
+			if (cond->prefix_len == 0)
+				break;
 			if (bitstring_match(addr, cond->addr,
 					    cond->prefix_len))
 				break;
-			if (entry->family == AF_INET6 &&
-			    cond->family == AF_INET) {
-				if (addr[0] == 0 && addr[1] == 0 &&
-				    addr[2] == htonl(0xffff) &&
-				    bitstring_match(addr + 3, cond->addr,
-						    cond->prefix_len))
-					break;
-			}
 			yes = 0;
 			break;
 		}