From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x1042.google.com (mail-pj1-x1042.google.com [IPv6:2607:f8b0:4864:20::1042]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id D9B633B29E for ; Tue, 7 Jul 2020 07:02:02 -0400 (EDT) Received: by mail-pj1-x1042.google.com with SMTP id mn17so4829091pjb.4 for ; Tue, 07 Jul 2020 04:02:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=onylQPnJ7kvkeI3KTBBiKnzU8j0ODNRNeq1rJYIc8vU=; b=GSL5nbf0hLwD4OEpvGhyZBiBZI+2AGc2qPF2d/6d5H6JH846RqZz//H1P5Ldcv+AwR GGf/AtKu0cJP5YUsvwniMn11pGrB2a88uT2rZgSkBmlblOBy/xegdTutMXvRoOxgn26b YfMY7AujOJtSXtvWl3dUISBEAKo0L8rAFEsFmS/GgXzDO84vWGFEpXfBOcK0TZluduga t2BkvXKucweypCMoCW3q+DD4XI5vdNFQSSgLXDMpncL/L3wfxlSH1gkYGGmfAeVbfYL1 LOAE04vbHc8RDSlpQvafUZ5C6yHrzUWcmjExpgImbOF8PYSLRaxV3fDvitsMNS2adem3 zBhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=onylQPnJ7kvkeI3KTBBiKnzU8j0ODNRNeq1rJYIc8vU=; b=OEq8/zOtLN9SI3zXj/vtkPXb7WEyYOWG2yy2qIYhOndtO22VjoiuD36K/CueXhgRd+ UnzSuh6ymzMmcbeawYAmc34uiboEYZUqo5GN9vnZaCzzS+WmtaAU5OxgYMf6GnapPaV8 y0asXHTzA6Jktx1QQfqBwfa7qkvsSnc2Ei2e63m142+ZrSNhUGd4oFJokSH7NRKSNYQN gevtWfi5PseQ5k6tqAA+sPjZ50bymOgajJEf8Gr6EgAODjja3Z4nU32OeTN5UrHB6TX5 gYDENbJ/BLxSdSHDD/ZjlEzv1k8SKsOG/bTSrs7sk2/Gs9RR7W6dBkxH8HMwGeVyNAkf x4sA== X-Gm-Message-State: AOAM5302EtNXAo/YWk6LGIzMn20xlR1QvhBLtwd3wp04WWPLUnJQN3Ep 3nraM56vRwW4yg9cTYPrNbk= X-Google-Smtp-Source: ABdhPJwdKGtHliAlygqbbEXV4aGH4JlIlfy4+kAastq0+iyTmtDmbx7/cL7Y23i1pulXJf+aLlit8w== X-Received: by 2002:a17:90a:ebc7:: with SMTP id cf7mr3737739pjb.207.1594119722143; Tue, 07 Jul 2020 04:02:02 -0700 (PDT) Received: from [172.20.20.103] ([222.151.198.97]) by smtp.gmail.com with ESMTPSA id v15sm695817pgo.15.2020.07.07.04.01.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Jul 2020 04:02:01 -0700 (PDT) To: =?UTF-8?Q?Toke_H=c3=b8iland-J=c3=b8rgensen?= Cc: davem@davemloft.net, netdev@vger.kernel.org, cake@lists.bufferbloat.net, Davide Caratti , Jiri Pirko , Jamal Hadi Salim , Cong Wang , Daniel Borkmann References: <20200706122951.48142-1-toke@redhat.com> <234d54c2-5b34-7651-5e57-490bee9920ae@gmail.com> <87d057lhhw.fsf@toke.dk> From: Toshiaki Makita Message-ID: <0baaad68-843a-c929-38e8-6448ce2ca1a8@gmail.com> Date: Tue, 7 Jul 2020 20:01:49 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <87d057lhhw.fsf@toke.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [Cake] [PATCH net] vlan: consolidate VLAN parsing code and limit max parsing depth X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 11:02:03 -0000 On 2020/07/07 19:57, Toke Høiland-Jørgensen wrote: > Toshiaki Makita writes: > >> On 2020/07/06 21:29, Toke Høiland-Jørgensen wrote: >>> Toshiaki pointed out that we now have two very similar functions to extract >>> the L3 protocol number in the presence of VLAN tags. And Daniel pointed out >>> that the unbounded parsing loop makes it possible for maliciously crafted >>> packets to loop through potentially hundreds of tags. >>> >>> Fix both of these issues by consolidating the two parsing functions and >>> limiting the VLAN tag parsing to an arbitrarily-chosen, but hopefully >>> conservative, max depth of 32 tags. As part of this, switch over >>> __vlan_get_protocol() to use skb_header_pointer() instead of >>> pskb_may_pull(), to avoid the possible side effects of the latter and keep >>> the skb pointer 'const' through all the parsing functions. >>> >>> Reported-by: Toshiaki Makita >>> Reported-by: Daniel Borkmann >>> Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs") >>> Signed-off-by: Toke Høiland-Jørgensen >>> --- >> ... >>> @@ -623,13 +597,12 @@ static inline __be16 __vlan_get_protocol(struct sk_buff *skb, __be16 type, >>> vlan_depth = ETH_HLEN; >>> } >>> do { >>> - struct vlan_hdr *vh; >>> + struct vlan_hdr vhdr, *vh; >>> >>> - if (unlikely(!pskb_may_pull(skb, >>> - vlan_depth + VLAN_HLEN))) >>> + vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr); >> >> Some drivers which use vlan_get_protocol to get IP protocol for checksum offload discards >> packets when it cannot get the protocol. >> I guess for such users this function should try to get protocol even if it is not in skb header? >> I'm not sure such a case can happen, but since you care about this, you know real cases where >> vlan tag can be in skb frags? > > skb_header_pointer() will still succeed in reading the data, it'll just > do so by copying it into the buffer on the stack (vhdr) instead of > moving the SKB data itself around... True, probably I need some more coffee... Thanks. Toshiaki Makita