From patchwork Tue Dec 12 02:08:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 847315 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Z4SWxV4m"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ywjtl4f7Qz9s9Y for ; Tue, 12 Dec 2017 13:09:19 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id CC78AC9D; Tue, 12 Dec 2017 02:09:11 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 65891BDB for ; Tue, 12 Dec 2017 02:09:10 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f52.google.com (mail-pg0-f52.google.com [74.125.83.52]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 67CDEF4 for ; Tue, 12 Dec 2017 02:09:09 +0000 (UTC) Received: by mail-pg0-f52.google.com with SMTP id k15so12341637pgr.7 for ; Mon, 11 Dec 2017 18:09:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=d2ece/PCyHNUK1WVya+ebBd0Ka4+1h/6XsxdU0sW6CU=; b=Z4SWxV4mnPZQX7Z/+0w6YYSW4S2/nylxJ8aUCCBoSa51j9Jb42GnK6xCVMhSoELpct zvqGGuMePWjfWQp7ayVMCXfcImMGlLRmfGUbcWHnniOdmW26AYXj4HJ7mqZf1ANkGh8N nlUmMEpcvvGtD+6Y+Ca4G+tXir/xgbp7FjrqeLtDbSukmUvyDxM64QkRbfC4ylPys2Pn JsHCwZz96Zbus9vH8gXQNPQMHd34fjQDjQF9xiniG7gd4KKfCb0Sl91n1Hu5YP3pZPxq KmqPkmzERZf4RfKWJJXvYrAEKHNSJdq3T7Pcl4YlmBIOzy4aF6h2t3gIT3tbaJjQzEby KFLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=d2ece/PCyHNUK1WVya+ebBd0Ka4+1h/6XsxdU0sW6CU=; b=bWJNfWQXFgo0PxH9eeAW35IY4ybJ4V3laDpkZUhY6iZhZZGABzxl+sQbPAOBLEojXq tWH+e9ZQhOUxi2Uq608NacGTeHJicOVx8U02hV17biMZ4wqQX1Tu98PFulTW1FB6pFvO MFbQO3K6FI7q1prhM8dbGVaSQdkM6VQfVGUUt4iMnPr6dzYrRv3M0/ppYdwq6CJ1s3/f hw2qsV9QI6tJEjZJJ99xDRDFa7GKSwQmULbMXKsYuBe41gBCXNAvbJGugW/VkYsIjnha pKW7m3olnifIym3spFn1oT4q8J2RO9i4H2L1H+HU4rq8UmqbgnY7JgiAPvVsxQB3YRzh /MoQ== X-Gm-Message-State: AKGB3mJ5xt3bKi6pmlNxl2DkfGzwS4rmgTCE2kpXICmqTvecB/Y/wTDr dkmiXVl/z5oEkEkkuUwzDBVpSA== X-Google-Smtp-Source: ACJfBotde89eW6rs2wuDjImerU9tIt7KoScQEueaJNRimYBrJJJpGDHXmBEYjn8OBAVGDxibSF1wZQ== X-Received: by 10.98.87.142 with SMTP id i14mr603529pfj.212.1513044549019; Mon, 11 Dec 2017 18:09:09 -0800 (PST) Received: from ubuntu.localdomain ([208.91.2.1]) by smtp.gmail.com with ESMTPSA id 126sm23490882pfe.16.2017.12.11.18.09.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 11 Dec 2017 18:09:08 -0800 (PST) From: Darrell Ball To: dlu998@gmail.com, dev@openvswitch.org Date: Mon, 11 Dec 2017 18:08:53 -0800 Message-Id: <1513044533-78015-1-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Daniele Di Proietto , wangzhike Subject: [ovs-dev] [patch v2 2.7] conntrack: Fix icmp error address sanity check. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org An address sanity check is done on icmp error packets to check that the icmp error payload makes sense w.r.t. the packet itself. The sanity check was partially incorrect since it tried to verify the source address of the error packet against the original destination, which does not makes since the error can be generated by any intermediate node. Reported-by: wangzhike Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html Fixes: a489b1685 ("conntrack: New userspace connection tracker.") CC: Daniele Di Proietto Signed-off-by: Darrell Ball Signed-off-by: wangzhike Co-authored-by: wangzhike --- lib/conntrack.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 677c0d2..4284770 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -780,8 +780,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size, } /* pf doesn't do this, but it seems a good idea */ - if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned - || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) { + if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) { return false; } @@ -869,9 +868,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, /* pf doesn't do this, but it seems a good idea */ if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned, - &key->dst.addr.ipv6_aligned) - || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned, - &key->src.addr.ipv6_aligned)) { + &key->dst.addr.ipv6_aligned)) { return false; }