Message ID | 1513044533-78015-1-git-send-email-dlu998@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v2,2.7] conntrack: Fix icmp error address sanity check. | expand |
On Mon, Dec 11, 2017 at 06:08:53PM -0800, Darrell Ball wrote: > An address sanity check is done on icmp error packets to > check that the icmp error payload makes sense w.r.t. the > packet itself. > > The sanity check was partially incorrect since it tried > to verify the source address of the error packet against the > original destination, which does not makes since the error > can be generated by any intermediate node. > > Reported-by: wangzhike <wangzhike@jd.com> > Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > CC: Daniele Di Proietto <diproiettod@vmware.com> > Signed-off-by: Darrell Ball <dlu998@gmail.com> > Signed-off-by: wangzhike <wangzhike@jd.com> > Co-authored-by: wangzhike <wangzhike@jd.com> Thanks! I applied this to branch-2.7 and branch-2.6.
diff --git a/lib/conntrack.c b/lib/conntrack.c index 677c0d2..4284770 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -780,8 +780,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size, } /* pf doesn't do this, but it seems a good idea */ - if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned - || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) { + if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) { return false; } @@ -869,9 +868,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, /* pf doesn't do this, but it seems a good idea */ if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned, - &key->dst.addr.ipv6_aligned) - || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned, - &key->src.addr.ipv6_aligned)) { + &key->dst.addr.ipv6_aligned)) { return false; }