Message ID | 20170426071548.73171-1-donatas.abraitis@gmail.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
Hi Donatas, [auto build test ERROR on net-next/master] url: https://github.com/0day-ci/linux/commits/Donatas-Abraitis/net-ipv6-make-sure-multicast-packets-are-not-forwarded-beyond-the-different-scopes/20170426-180846 config: x86_64-rhel (attached as .config) compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901 reproduce: # save the attached .config to linux build tree make ARCH=x86_64 All errors (new ones prefixed by >>): net//ipv6/ip6_input.c: In function 'ipv6_rcv': >> net//ipv6/ip6_input.c:174:10: error: expected ')' before 'goto' goto err; ^~~~ >> net//ipv6/ip6_input.c:225:1: error: expected expression before '}' token } ^ >> net//ipv6/ip6_input.c:166:3: error: label 'err' used but not defined goto err; ^~~~ >> net//ipv6/ip6_input.c:95:3: error: label 'drop' used but not defined goto drop; ^~~~ net//ipv6/ip6_input.c:77:6: warning: unused variable 'pkt_len' [-Wunused-variable] u32 pkt_len; ^~~~~~~ net//ipv6/ip6_input.c:225:1: warning: control reaches end of non-void function [-Wreturn-type] } ^ vim +174 net//ipv6/ip6_input.c 89 90 __IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_IN, skb->len); 91 92 if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL || 93 !idev || unlikely(idev->cnf.disable_ipv6)) { 94 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); > 95 goto drop; 96 } 97 98 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); 99 100 /* 101 * Store incoming device index. When the packet will 102 * be queued, we cannot refer to skb->dev anymore. 103 * 104 * BTW, when we send a packet for our own local address on a 105 * non-loopback interface (e.g. ethX), it is being delivered 106 * via the loopback interface (lo) here; skb->dev = loopback_dev. 107 * It, however, should be considered as if it is being 108 * arrived via the sending interface (ethX), because of the 109 * nature of scoping architecture. --yoshfuji 110 */ 111 IP6CB(skb)->iif = skb_valid_dst(skb) ? ip6_dst_idev(skb_dst(skb))->dev->ifindex : dev->ifindex; 112 113 if (unlikely(!pskb_may_pull(skb, sizeof(*hdr)))) 114 goto err; 115 116 hdr = ipv6_hdr(skb); 117 118 if (hdr->version != 6) 119 goto err; 120 121 __IP6_ADD_STATS(net, idev, 122 IPSTATS_MIB_NOECTPKTS + 123 (ipv6_get_dsfield(hdr) & INET_ECN_MASK), 124 max_t(unsigned short, 1, skb_shinfo(skb)->gso_segs)); 125 /* 126 * RFC4291 2.5.3 127 * The loopback address must not be used as the source address in IPv6 128 * packets that are sent outside of a single node. [..] 129 * A packet received on an interface with a destination address 130 * of loopback must be dropped. 131 */ 132 if ((ipv6_addr_loopback(&hdr->saddr) || 133 ipv6_addr_loopback(&hdr->daddr)) && 134 !(dev->flags & IFF_LOOPBACK)) 135 goto err; 136 137 /* RFC4291 Errata ID: 3480 138 * Interface-Local scope spans only a single interface on a 139 * node and is useful only for loopback transmission of 140 * multicast. Packets with interface-local scope received 141 * from another node must be discarded. 142 */ 143 if (!(skb->pkt_type == PACKET_LOOPBACK || 144 dev->flags & IFF_LOOPBACK) && 145 ipv6_addr_is_multicast(&hdr->daddr) && 146 IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1) 147 goto err; 148 149 /* If enabled, drop unicast packets that were encapsulated in link-layer 150 * multicast or broadcast to protected against the so-called "hole-196" 151 * attack in 802.11 wireless. 152 */ 153 if (!ipv6_addr_is_multicast(&hdr->daddr) && 154 (skb->pkt_type == PACKET_BROADCAST || 155 skb->pkt_type == PACKET_MULTICAST) && 156 idev->cnf.drop_unicast_in_l2_multicast) 157 goto err; 158 159 /* RFC4291 2.7 160 * Nodes must not originate a packet to a multicast address whose scope 161 * field contains the reserved value 0; if such a packet is received, it 162 * must be silently dropped. 163 */ 164 if (ipv6_addr_is_multicast(&hdr->daddr) && 165 IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 0) > 166 goto err; 167 168 /* RFC4291 2.7 169 * Routers must not forward any multicast packets beyond of the scope 170 * indicated by the scop field in the destination multicast address. 171 */ 172 if (ipv6_addr_is_multicast(&hdr->daddr) && 173 IPV6_ADDR_MC_SCOPE(&hdr->daddr) != IPV6_ADDR_MC_SCOPE(&hdr->saddr) > 174 goto err; 175 176 /* 177 * RFC4291 2.7 178 * Multicast addresses must not be used as source addresses in IPv6 179 * packets or appear in any Routing header. 180 */ 181 if (ipv6_addr_is_multicast(&hdr->saddr)) 182 goto err; 183 184 skb->transport_header = skb->network_header + sizeof(*hdr); 185 IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); 186 187 pkt_len = ntohs(hdr->payload_len); 188 189 /* pkt_len may be zero if Jumbo payload option is present */ 190 if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) { 191 if (pkt_len + sizeof(struct ipv6hdr) > skb->len) { 192 __IP6_INC_STATS(net, 193 idev, IPSTATS_MIB_INTRUNCATEDPKTS); 194 goto drop; 195 } 196 if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr))) { 197 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 198 goto drop; 199 } 200 hdr = ipv6_hdr(skb); 201 } 202 203 if (hdr->nexthdr == NEXTHDR_HOP) { 204 if (ipv6_parse_hopopts(skb) < 0) { 205 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 206 rcu_read_unlock(); 207 return NET_RX_DROP; 208 } 209 } 210 211 rcu_read_unlock(); 212 213 /* Must drop socket now because of tproxy. */ 214 skb_orphan(skb); 215 216 return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, 217 net, NULL, skb, dev, NULL, 218 ip6_rcv_finish); 219 err: 220 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 221 drop: 222 rcu_read_unlock(); 223 kfree_skb(skb); 224 return NET_RX_DROP; > 225 } 226 227 /* 228 * Deliver the packet to the host --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index 9ee208a..a834797 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c @@ -165,6 +165,14 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 0) goto err; + /* RFC4291 2.7 + * Routers must not forward any multicast packets beyond of the scope + * indicated by the scop field in the destination multicast address. + */ + if (ipv6_addr_is_multicast(&hdr->daddr) && + IPV6_ADDR_MC_SCOPE(&hdr->daddr) != IPV6_ADDR_MC_SCOPE(&hdr->saddr) + goto err; + /* * RFC4291 2.7 * Multicast addresses must not be used as source addresses in IPv6
RFC4291 2.7 Routers must not forward any multicast packets beyond of the scope indicated by the scop field in the destination multicast address. Signed-off-by: Donatas Abraitis <donatas.abraitis@gmail.com> --- net/ipv6/ip6_input.c | 8 ++++++++ 1 file changed, 8 insertions(+)