| Message ID | 20180306234808.4500-1-kumaranand@vmware.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev,v2] datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE | expand |
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org> Alin. -----Mesaj original----- De la: ovs-dev-bounces@openvswitch.org <ovs-dev-bounces@openvswitch.org> În numele Anand Kumar Trimis: Wednesday, March 7, 2018 1:48 AM Către: dev@openvswitch.org Subiect: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE Previously ipfragment module would drop any fragments less than MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the vulnerability CVE-2000-0305. This check is incorrect, since minimum size of the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not guranted to be malformed or illegal. To guard against security vulnerability CVE-2000-0305, for a given ip datagram, ipfragments should be dropped only when number of smallest fragments recieved reaches a certain threshold. Signed-off-by: Anand Kumar <kumaranand@vmware.com> --- datapath-windows/ovsext/IpFragment.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/datapath-windows/ovsext/IpFragment.c b/datapath-windows/ovsext/IpFragment.c index 3d5277a..d59d7cf 100644 --- a/datapath-windows/ovsext/IpFragment.c +++ b/datapath-windows/ovsext/IpFragment.c @@ -25,10 +25,10 @@ #undef OVS_DBG_MOD #endif #define OVS_DBG_MOD OVS_DBG_IPFRAG -/* Based on MIN_FRAGMENT_SIZE.*/ -#define MAX_FRAGMENTS 164 + #define MIN_FRAGMENT_SIZE 400 #define MAX_IPDATAGRAM_SIZE 65535 +#define MAX_FRAGMENTS MAX_IPDATAGRAM_SIZE/MIN_FRAGMENT_SIZE + 1 /* Function declarations */ static KSTART_ROUTINE OvsIpFragmentEntryCleaner; @@ -275,10 +275,7 @@ OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT switchContext, offset = ntohs(ipHdr->frag_off) & IP_OFFSET; offset <<= 3; flags = ntohs(ipHdr->frag_off) & IP_MF; - /* Only the last fragment can be of smaller size.*/ - if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) { - return NDIS_STATUS_INVALID_LENGTH; - } + /*Copy fragment specific fields. */ fragKey.protocol = ipHdr->protocol; fragKey.id = ipHdr->id; -- 2.9.3.windows.1
Hi Alin, Thanks for reviewing the patch. Can we get this patch applied? Thanks, Anand Kumar On 3/7/18, 3:42 AM, "ovs-dev-bounces@openvswitch.org on behalf of aserdean@ovn.org" <ovs-dev-bounces@openvswitch.org on behalf of aserdean@ovn.org> wrote: Acked-by: Alin Gabriel Serdean <aserdean@ovn.org> Alin. -----Mesaj original----- De la: ovs-dev-bounces@openvswitch.org <ovs-dev-bounces@openvswitch.org> În numele Anand Kumar Trimis: Wednesday, March 7, 2018 1:48 AM Către: dev@openvswitch.org Subiect: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE Previously ipfragment module would drop any fragments less than MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the vulnerability CVE-2000-0305. This check is incorrect, since minimum size of the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not guranted to be malformed or illegal. To guard against security vulnerability CVE-2000-0305, for a given ip datagram, ipfragments should be dropped only when number of smallest fragments recieved reaches a certain threshold. Signed-off-by: Anand Kumar <kumaranand@vmware.com> --- datapath-windows/ovsext/IpFragment.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/datapath-windows/ovsext/IpFragment.c b/datapath-windows/ovsext/IpFragment.c index 3d5277a..d59d7cf 100644 --- a/datapath-windows/ovsext/IpFragment.c +++ b/datapath-windows/ovsext/IpFragment.c @@ -25,10 +25,10 @@ #undef OVS_DBG_MOD #endif #define OVS_DBG_MOD OVS_DBG_IPFRAG -/* Based on MIN_FRAGMENT_SIZE.*/ -#define MAX_FRAGMENTS 164 + #define MIN_FRAGMENT_SIZE 400 #define MAX_IPDATAGRAM_SIZE 65535 +#define MAX_FRAGMENTS MAX_IPDATAGRAM_SIZE/MIN_FRAGMENT_SIZE + 1 /* Function declarations */ static KSTART_ROUTINE OvsIpFragmentEntryCleaner; @@ -275,10 +275,7 @@ OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT switchContext, offset = ntohs(ipHdr->frag_off) & IP_OFFSET; offset <<= 3; flags = ntohs(ipHdr->frag_off) & IP_MF; - /* Only the last fragment can be of smaller size.*/ - if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) { - return NDIS_STATUS_INVALID_LENGTH; - } + /*Copy fragment specific fields. */ fragKey.protocol = ipHdr->protocol; fragKey.id = ipHdr->id; -- 2.9.3.windows.1 _______________________________________________ dev mailing list dev@openvswitch.org https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwIFBA&c=uilaK90D4TOVoH58JNXRgQ&r=Q5z9tBe-nAOpE7LIHSPV8uy5-437agMXvkeHHMkR8Us&m=wBaFjfmLsp_IHmGbqcnqFbiVgL9SrUg_OjOmu6mtm18&s=-RSx_6v5FgOED7n_4PPfYEIrpVkor7g5BhyBt2ygcuU&e= _______________________________________________ dev mailing list dev@openvswitch.org https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwIFBA&c=uilaK90D4TOVoH58JNXRgQ&r=Q5z9tBe-nAOpE7LIHSPV8uy5-437agMXvkeHHMkR8Us&m=wBaFjfmLsp_IHmGbqcnqFbiVgL9SrUg_OjOmu6mtm18&s=-RSx_6v5FgOED7n_4PPfYEIrpVkor7g5BhyBt2ygcuU&e=
Applied on master! Thanks, Alin. > -----Mesaj original----- > De la: ovs-dev-bounces@openvswitch.org <ovs-dev- > bounces@openvswitch.org> În numele Anand Kumar > Trimis: Thursday, March 8, 2018 2:16 AM > Către: aserdean@ovn.org; dev@openvswitch.org > Subiect: Re: [ovs-dev] [PATCH v2] datapath-windows: Do not drop Ip > fragments less than MIN_FRAGMENT_SIZE > > Hi Alin, > > Thanks for reviewing the patch. > Can we get this patch applied? > > Thanks, > Anand Kumar >
diff --git a/datapath-windows/ovsext/IpFragment.c b/datapath-windows/ovsext/IpFragment.c index 3d5277a..d59d7cf 100644 --- a/datapath-windows/ovsext/IpFragment.c +++ b/datapath-windows/ovsext/IpFragment.c @@ -25,10 +25,10 @@ #undef OVS_DBG_MOD #endif #define OVS_DBG_MOD OVS_DBG_IPFRAG -/* Based on MIN_FRAGMENT_SIZE.*/ -#define MAX_FRAGMENTS 164 + #define MIN_FRAGMENT_SIZE 400 #define MAX_IPDATAGRAM_SIZE 65535 +#define MAX_FRAGMENTS MAX_IPDATAGRAM_SIZE/MIN_FRAGMENT_SIZE + 1 /* Function declarations */ static KSTART_ROUTINE OvsIpFragmentEntryCleaner; @@ -275,10 +275,7 @@ OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT switchContext, offset = ntohs(ipHdr->frag_off) & IP_OFFSET; offset <<= 3; flags = ntohs(ipHdr->frag_off) & IP_MF; - /* Only the last fragment can be of smaller size.*/ - if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) { - return NDIS_STATUS_INVALID_LENGTH; - } + /*Copy fragment specific fields. */ fragKey.protocol = ipHdr->protocol; fragKey.id = ipHdr->id;
Previously ipfragment module would drop any fragments less than MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the vulnerability CVE-2000-0305. This check is incorrect, since minimum size of the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not guranted to be malformed or illegal. To guard against security vulnerability CVE-2000-0305, for a given ip datagram, ipfragments should be dropped only when number of smallest fragments recieved reaches a certain threshold. Signed-off-by: Anand Kumar <kumaranand@vmware.com> --- datapath-windows/ovsext/IpFragment.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-)