From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com [IPv6:2607:f8b0:4864:20::641]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 25E163B2A4 for ; Tue, 7 Jul 2020 06:44:39 -0400 (EDT) Received: by mail-pl1-x641.google.com with SMTP id w17so2137798ply.11 for ; Tue, 07 Jul 2020 03:44:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=qf4pp+chzAbby4mB2Q9eid/KAY6XYVLlyc0I9zbRSSw=; b=nKogjC/ASE1D/E23dLWsBoLjHCJO4i4x2qyYJsNa+H7Dciw/69xXlAWosqJAn/yIQ7 0Ejw8gcJhDQ5K+c8yE8T+tfJLOiNzBGMjxt/PVzlkSmYLgDc2EcBkiLNmBAsS+wBn1c0 ckqXYuQZSOw6/w+B113YXTtNWfvptLfywSwcrCHjYGdcBhwkrdnI6hch9a3OcNyAF8pN v6vE7InLswKrA00RbyRnE/E04BZQm+7EfNB8kkpQQ+R1Fj2fXomR/3dhJ+zJgR8fj1LM y3Y9U9q6gSuMK18z/gwI6pRtttw4Io+7R5cUIjOk7+pgJDALXU/9jHk4Fw2CFMz3ZaTl 2wYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=qf4pp+chzAbby4mB2Q9eid/KAY6XYVLlyc0I9zbRSSw=; b=Wu2TFdR+ouGAq2dXst1sbLaZEJ7QMLSOKghj3QlJ0GKApw4zq3PZeF0aj9fJoIDq9l v0Qvyev1QXr0ZsNwjlvr0Z1ExGGdy5PIJUZnuMQFy8ZL0iUwrnh+t0ZlhkLlVcWDMBEe CjfuXqZ8cFHQWRLzTsba7z03tHTne5LIqmnl2qgfMjXGMLGVurxyc08vT9xGR1V8H4eh eAiMJ9isOVprzZZwiCg++zXXEH/divc4sFVf+jAN4dB0rhU58UoFGBZsbiTWDLQI7xTK yyrxQU/7fdZu9BuIwDW5vzfa9V9l18E2dbLV1hm7p4PFlbUCd207jzcjZg/N6WyggcHh 6iFQ== X-Gm-Message-State: AOAM530pyzMryXnJOQ8jdZs0cbAt3QqF7fmmiGtdLz2FmXHtf4NN1v3y 5ahW8hQGT63zA4/zX3SfT+k= X-Google-Smtp-Source: ABdhPJxD5uCSBJ1ORQ4K2XTJDxZ0y7uv0ZI7DMrs6t44zKl1P4+hdj4Nf+Pza4dVLVX/9DUswHUePQ== X-Received: by 2002:a17:90a:cb81:: with SMTP id a1mr3782297pju.11.1594118678291; Tue, 07 Jul 2020 03:44:38 -0700 (PDT) Received: from [172.20.20.103] ([222.151.198.97]) by smtp.gmail.com with ESMTPSA id v22sm8642168pfe.48.2020.07.07.03.44.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Jul 2020 03:44:37 -0700 (PDT) To: =?UTF-8?Q?Toke_H=c3=b8iland-J=c3=b8rgensen?= , davem@davemloft.net Cc: netdev@vger.kernel.org, cake@lists.bufferbloat.net, Davide Caratti , Jiri Pirko , Jamal Hadi Salim , Cong Wang , Daniel Borkmann References: <20200706122951.48142-1-toke@redhat.com> From: Toshiaki Makita Message-ID: <234d54c2-5b34-7651-5e57-490bee9920ae@gmail.com> Date: Tue, 7 Jul 2020 19:44:30 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <20200706122951.48142-1-toke@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 07 Jul 2020 06:58:11 -0400 Subject: Re: [Cake] [PATCH net] vlan: consolidate VLAN parsing code and limit max parsing depth X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 10:44:39 -0000 On 2020/07/06 21:29, Toke Høiland-Jørgensen wrote: > Toshiaki pointed out that we now have two very similar functions to extract > the L3 protocol number in the presence of VLAN tags. And Daniel pointed out > that the unbounded parsing loop makes it possible for maliciously crafted > packets to loop through potentially hundreds of tags. > > Fix both of these issues by consolidating the two parsing functions and > limiting the VLAN tag parsing to an arbitrarily-chosen, but hopefully > conservative, max depth of 32 tags. As part of this, switch over > __vlan_get_protocol() to use skb_header_pointer() instead of > pskb_may_pull(), to avoid the possible side effects of the latter and keep > the skb pointer 'const' through all the parsing functions. > > Reported-by: Toshiaki Makita > Reported-by: Daniel Borkmann > Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs") > Signed-off-by: Toke Høiland-Jørgensen > --- ... > @@ -623,13 +597,12 @@ static inline __be16 __vlan_get_protocol(struct sk_buff *skb, __be16 type, > vlan_depth = ETH_HLEN; > } > do { > - struct vlan_hdr *vh; > + struct vlan_hdr vhdr, *vh; > > - if (unlikely(!pskb_may_pull(skb, > - vlan_depth + VLAN_HLEN))) > + vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr); Some drivers which use vlan_get_protocol to get IP protocol for checksum offload discards packets when it cannot get the protocol. I guess for such users this function should try to get protocol even if it is not in skb header? I'm not sure such a case can happen, but since you care about this, you know real cases where vlan tag can be in skb frags? Toshiaki Makita