From patchwork Tue Dec 12 01:17:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 847308 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Xfg4R2/1"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ywhl20TF1z9s7F for ; Tue, 12 Dec 2017 12:17:33 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 9AB74CEE; Tue, 12 Dec 2017 01:17:31 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 39A7FCCF for ; Tue, 12 Dec 2017 01:17:30 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com [209.85.192.179]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 83BE4F4 for ; Tue, 12 Dec 2017 01:17:29 +0000 (UTC) Received: by mail-pf0-f179.google.com with SMTP id e3so12924351pfi.10 for ; Mon, 11 Dec 2017 17:17:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=9ncM6XP1hko/U7JFBh0DJEeoVmWgKVu05kLrnEvYubE=; b=Xfg4R2/171JBg8rqTmyzQmyomn9Tl0rq7Zf50pY9w/mAB44QGFk6FoN9KHBiZr6dSp KdtMv54xt8XeQrXK6eTa0VM41FfmtimwFVJAzOOAX/wyJ28WT9IWo9zl84h5sIH7bxoJ vN78aVR4HbHCM0BAvh7Nmfaqo1/yOR96h1y2fEJsg9ehn7pvH0mRtYisJP9dM8gGTlKT xuz+o/4Us8jVG2lB3Bb6fQxwnxbSWu8KdyM92bBDKONTcc60DaNGY3qhdKNtmGmyWcAd lIf++JH1yqo+ywyJgrHpMQxAWOesS7oYvGNTGwLqCQ2X+OJo1XsruSF1ec/Tcn9dpmjL rBPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=9ncM6XP1hko/U7JFBh0DJEeoVmWgKVu05kLrnEvYubE=; b=XtiJwwxXejlQXU6sbFic6hMoHTgLnOW6XT2wKU0vuLDfOtEXrpmzTVMcf/+kxIPUv+ GiagNZpVMw4JdmaVyZ7/0ngU/W5oogdgXfbhtrd4+ORc5RTHWee4Hs1W4QSt/9fwXGU+ UlWmiDBirpvhGmcGdxXOunOe+EHnJznjF8+0fedHqkwH6dFg/keDZXYG6yN9Wf8vCzE1 AkTNwwl78Rs4E+1jpLS3YEdbBS793Sa2ukv9JpydOg9lvF7HFYahxzcu7w7LjsiGKUci U+ncXsdFDfTnKUcywUZK7QZjRC+blrmX1Sy5EEMqtWJ2OnEbzEPcpPq+DHEpE+ohEw/h Gqrg== X-Gm-Message-State: AKGB3mIzJ0ylCpMrRchu3gqoj+5E/TqF3UnD28+COwdfzk7SjMNDtEMu KGvXGu6Ru513/IIchyffdeY= X-Google-Smtp-Source: ACJfBovkukETl6SNIX3u9xtHqdOtWdxeHXKIcMBgIJ269tWrNfcvzIHdUQk6qFkPcEdMZe77k5S4Bg== X-Received: by 10.84.168.198 with SMTP id f64mr498366plb.324.1513041448959; Mon, 11 Dec 2017 17:17:28 -0800 (PST) Received: from ubuntu.localdomain ([208.91.2.1]) by smtp.gmail.com with ESMTPSA id p24sm24845874pfh.170.2017.12.11.17.17.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 11 Dec 2017 17:17:28 -0800 (PST) From: Darrell Ball To: dlu998@gmail.com, dev@openvswitch.org Date: Mon, 11 Dec 2017 17:17:13 -0800 Message-Id: <1513041433-44702-1-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Daniele Di Proietto , wangzhike Subject: [ovs-dev] [patch 2.7] conntrack: Fix icmp error address sanity check. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org An address sanity check is done on icmp error packets to check that the icmp error payload makes sense w.r.t. the packet itself. The sanity check was partially incorrect since it tried to verify the source address of the error packet against the original destination, which does not makes since the error can be generated by any intermediate node. Reported-by: wangzhike Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html Fixes: a489b1685 ("conntrack: New userspace connection tracker.") CC: Daniele Di Proietto Signed-off-by: Darrell Ball Signed-off-by: wangzhike Co-authored-by: wangzhike Signed-off-by: Darrell Ball --- lib/conntrack.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 677c0d2..4284770 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -780,8 +780,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size, } /* pf doesn't do this, but it seems a good idea */ - if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned - || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) { + if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) { return false; } @@ -869,9 +868,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, /* pf doesn't do this, but it seems a good idea */ if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned, - &key->dst.addr.ipv6_aligned) - || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned, - &key->src.addr.ipv6_aligned)) { + &key->dst.addr.ipv6_aligned)) { return false; }