From: Daniel Borkmann <daniel@iogearbox.net>
To: "Toke Høiland-Jørgensen" <toke@redhat.com>, davem@davemloft.net
Cc: netdev@vger.kernel.org, cake@lists.bufferbloat.net,
Davide Caratti <dcaratti@redhat.com>,
Jiri Pirko <jiri@resnulli.us>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Toshiaki Makita <toshiaki.makita1@gmail.com>
Subject: Re: [Cake] [PATCH net] vlan: consolidate VLAN parsing code and limit max parsing depth
Date: Mon, 6 Jul 2020 22:01:58 +0200 [thread overview]
Message-ID: <4f7b2b71-8b2a-3aea-637d-52b148af1802@iogearbox.net> (raw)
In-Reply-To: <20200706122951.48142-1-toke@redhat.com>
On 7/6/20 2:29 PM, Toke Høiland-Jørgensen wrote:
> Toshiaki pointed out that we now have two very similar functions to extract
> the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
> that the unbounded parsing loop makes it possible for maliciously crafted
> packets to loop through potentially hundreds of tags.
>
> Fix both of these issues by consolidating the two parsing functions and
> limiting the VLAN tag parsing to an arbitrarily-chosen, but hopefully
> conservative, max depth of 32 tags. As part of this, switch over
> __vlan_get_protocol() to use skb_header_pointer() instead of
> pskb_may_pull(), to avoid the possible side effects of the latter and keep
> the skb pointer 'const' through all the parsing functions.
>
> Reported-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
> Reported-by: Daniel Borkmann <daniel@iogearbox.net>
> Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs")
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
> ---
> include/linux/if_vlan.h | 57 ++++++++++++++++-------------------------
> 1 file changed, 22 insertions(+), 35 deletions(-)
>
> diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
> index 427a5b8597c2..855d16192e6a 100644
> --- a/include/linux/if_vlan.h
> +++ b/include/linux/if_vlan.h
> @@ -25,6 +25,8 @@
> #define VLAN_ETH_DATA_LEN 1500 /* Max. octets in payload */
> #define VLAN_ETH_FRAME_LEN 1518 /* Max. octets in frame sans FCS */
>
> +#define VLAN_MAX_DEPTH 32 /* Max. number of nested VLAN tags parsed */
> +
Any insight on limits of nesting wrt QinQ, maybe from spec side? Why not 8 as max, for
example (I'd probably even consider a depth like this as utterly broken setup ..)?
Thanks,
Daniel
next prev parent reply other threads:[~2020-07-06 20:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-06 12:29 Toke Høiland-Jørgensen
2020-07-06 20:01 ` Daniel Borkmann [this message]
2020-07-06 22:44 ` Toke Høiland-Jørgensen
2020-07-07 10:49 ` Toshiaki Makita
2020-07-07 10:54 ` Toke Høiland-Jørgensen
2020-07-07 10:44 ` Toshiaki Makita
2020-07-07 10:57 ` Toke Høiland-Jørgensen
2020-07-07 11:01 ` Toshiaki Makita
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f7b2b71-8b2a-3aea-637d-52b148af1802@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=cake@lists.bufferbloat.net \
--cc=davem@davemloft.net \
--cc=dcaratti@redhat.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=netdev@vger.kernel.org \
--cc=toke@redhat.com \
--cc=toshiaki.makita1@gmail.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox