Message ID | 20190117102722.14474-1-nicolas.dichtel@6wind.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net,v2] af_packet: fix raw sockets over 6in4 tunnel | expand |
On Thu, Jan 17, 2019 at 5:29 AM Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote: > > Since commit cb9f1b783850, scapy (which uses an AF_PACKET socket in > SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel: > > Here is a example of the setup: > $ ip link set ntfp2 up > $ ip addr add 10.125.0.1/24 dev ntfp2 > $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2 > $ ip addr add fd00:cafe:cafe::1/128 dev tun1 > $ ip link set dev tun1 up > $ ip route add fd00:200::/64 dev tun1 > $ scapy > >>> p = [] > >>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest() > >>> send(p, count=1, inter=0.1) > >>> quit() > $ ip -s link ls dev tun1 | grep -A1 "TX.*errors" > TX: bytes packets errors dropped carrier collsns > 0 0 1 0 0 0 > > The problem is that the network offset is set to the hard_header_len of the > output device (tun1, ie 14 + 20) and in our case, because the packet is > small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes > (ipv6 header) starting from the network offset). > > This problem is more generally related to device with variable hard header > length. To avoid a too intrusive patch in the current release, a (ugly) > workaround is proposed in this patch. It has to be cleaned up in net-next. > > Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1 > Link: http://patchwork.ozlabs.org/patch/1024489/ > Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit") > CC: Willem de Bruijn <willemb@google.com> > CC: Maxim Mikityanskiy <maximmi@mellanox.com> > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Willem de Bruijn <willemb@google.com>
From: Nicolas Dichtel <nicolas.dichtel@6wind.com> Date: Thu, 17 Jan 2019 11:27:22 +0100 > Since commit cb9f1b783850, scapy (which uses an AF_PACKET socket in > SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel: > > Here is a example of the setup: > $ ip link set ntfp2 up > $ ip addr add 10.125.0.1/24 dev ntfp2 > $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2 > $ ip addr add fd00:cafe:cafe::1/128 dev tun1 > $ ip link set dev tun1 up > $ ip route add fd00:200::/64 dev tun1 > $ scapy >>>> p = [] >>>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest() >>>> send(p, count=1, inter=0.1) >>>> quit() > $ ip -s link ls dev tun1 | grep -A1 "TX.*errors" > TX: bytes packets errors dropped carrier collsns > 0 0 1 0 0 0 > > The problem is that the network offset is set to the hard_header_len of the > output device (tun1, ie 14 + 20) and in our case, because the packet is > small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes > (ipv6 header) starting from the network offset). > > This problem is more generally related to device with variable hard header > length. To avoid a too intrusive patch in the current release, a (ugly) > workaround is proposed in this patch. It has to be cleaned up in net-next. > > Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1 > Link: http://patchwork.ozlabs.org/patch/1024489/ > Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit") > CC: Willem de Bruijn <willemb@google.com> > CC: Maxim Mikityanskiy <maximmi@mellanox.com> > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > --- > > v1 -> v2: > reset nh offset only for small packets sent on a variable hard hdr len device Applied.
On Thu, Jan 17, 2019 at 03:55:27PM -0800, David Miller wrote: >From: Nicolas Dichtel <nicolas.dichtel@6wind.com> >Date: Thu, 17 Jan 2019 11:27:22 +0100 > >> Since commit cb9f1b783850, scapy (which uses an AF_PACKET socket in >> SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel: >> >> Here is a example of the setup: >> $ ip link set ntfp2 up >> $ ip addr add 10.125.0.1/24 dev ntfp2 >> $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2 >> $ ip addr add fd00:cafe:cafe::1/128 dev tun1 >> $ ip link set dev tun1 up >> $ ip route add fd00:200::/64 dev tun1 >> $ scapy >>>>> p = [] >>>>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest() >>>>> send(p, count=1, inter=0.1) >>>>> quit() >> $ ip -s link ls dev tun1 | grep -A1 "TX.*errors" >> TX: bytes packets errors dropped carrier collsns >> 0 0 1 0 0 0 >> >> The problem is that the network offset is set to the hard_header_len of the >> output device (tun1, ie 14 + 20) and in our case, because the packet is >> small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes >> (ipv6 header) starting from the network offset). >> >> This problem is more generally related to device with variable hard header >> length. To avoid a too intrusive patch in the current release, a (ugly) >> workaround is proposed in this patch. It has to be cleaned up in net-next. >> >> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1 >> Link: http://patchwork.ozlabs.org/patch/1024489/ >> Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit") >> CC: Willem de Bruijn <willemb@google.com> >> CC: Maxim Mikityanskiy <maximmi@mellanox.com> >> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> >> --- >> >> v1 -> v2: >> reset nh offset only for small packets sent on a variable hard hdr len device > >Applied. Should this go to -stable as well? The patch it fixes is in 4.20. -- Thanks, Sasha
On Mon, Feb 18, 2019 at 1:50 PM Sasha Levin <sashal@kernel.org> wrote: > > On Thu, Jan 17, 2019 at 03:55:27PM -0800, David Miller wrote: > >From: Nicolas Dichtel <nicolas.dichtel@6wind.com> > >Date: Thu, 17 Jan 2019 11:27:22 +0100 > > > >> Since commit cb9f1b783850, scapy (which uses an AF_PACKET socket in > >> SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel: > >> > >> Here is a example of the setup: > >> $ ip link set ntfp2 up > >> $ ip addr add 10.125.0.1/24 dev ntfp2 > >> $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2 > >> $ ip addr add fd00:cafe:cafe::1/128 dev tun1 > >> $ ip link set dev tun1 up > >> $ ip route add fd00:200::/64 dev tun1 > >> $ scapy > >>>>> p = [] > >>>>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest() > >>>>> send(p, count=1, inter=0.1) > >>>>> quit() > >> $ ip -s link ls dev tun1 | grep -A1 "TX.*errors" > >> TX: bytes packets errors dropped carrier collsns > >> 0 0 1 0 0 0 > >> > >> The problem is that the network offset is set to the hard_header_len of the > >> output device (tun1, ie 14 + 20) and in our case, because the packet is > >> small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes > >> (ipv6 header) starting from the network offset). > >> > >> This problem is more generally related to device with variable hard header > >> length. To avoid a too intrusive patch in the current release, a (ugly) > >> workaround is proposed in this patch. It has to be cleaned up in net-next. > >> > >> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1 > >> Link: http://patchwork.ozlabs.org/patch/1024489/ > >> Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit") > >> CC: Willem de Bruijn <willemb@google.com> > >> CC: Maxim Mikityanskiy <maximmi@mellanox.com> > >> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > >> --- > >> > >> v1 -> v2: > >> reset nh offset only for small packets sent on a variable hard hdr len device > > > >Applied. > > Should this go to -stable as well? The patch it fixes is in 4.20. I believe so. It was also backported to 4.19 stable.
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> Date: Wed, 20 Feb 2019 13:39:23 -0500 > On Mon, Feb 18, 2019 at 1:50 PM Sasha Levin <sashal@kernel.org> wrote: >> Should this go to -stable as well? The patch it fixes is in 4.20. > > I believe so. It was also backported to 4.19 stable. Ok, I'll submit it, thanks.
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> Date: Wed, 20 Feb 2019 13:39:23 -0500 > On Mon, Feb 18, 2019 at 1:50 PM Sasha Levin <sashal@kernel.org> wrote: >> Should this go to -stable as well? The patch it fixes is in 4.20. > > I believe so. It was also backported to 4.19 stable. It's queued up now.
On Fri, Feb 22, 2019 at 2:50 PM David Miller <davem@davemloft.net> wrote: > > From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> > Date: Wed, 20 Feb 2019 13:39:23 -0500 > > > On Mon, Feb 18, 2019 at 1:50 PM Sasha Levin <sashal@kernel.org> wrote: > >> Should this go to -stable as well? The patch it fixes is in 4.20. > > > > I believe so. It was also backported to 4.19 stable. > > It's queued up now. Thanks David!
Le 23/02/2019 à 00:53, Willem de Bruijn a écrit : > On Fri, Feb 22, 2019 at 2:50 PM David Miller <davem@davemloft.net> wrote: >> >> From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> >> Date: Wed, 20 Feb 2019 13:39:23 -0500 >> >>> On Mon, Feb 18, 2019 at 1:50 PM Sasha Levin <sashal@kernel.org> wrote: >>>> Should this go to -stable as well? The patch it fixes is in 4.20. >>> >>> I believe so. It was also backported to 4.19 stable. >> >> It's queued up now. > > Thanks David! > Thanks all and sorry for the late reply, I was off last week. Regards, Nicolas
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index d0945253f43b..3b1a78906bc0 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2887,7 +2887,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) goto out_free; } else if (reserve) { skb_reserve(skb, -reserve); - if (len < reserve) + if (len < reserve + sizeof(struct ipv6hdr) && + dev->min_header_len != dev->hard_header_len) skb_reset_network_header(skb); }