From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id CDA4B3B29E for ; Tue, 7 Jul 2020 06:55:06 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1594119306; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RVRLvVOh+I/8281nFsXdg1u+5aMmAEt8iVhNSwqae+w=; b=FPYNlfKgoqi8Pd4TKnCP/zKRv/cHidv4L4uALt0G3eKTwKFe3fIKNJiSJF5UgOr0vPDwUV ws1dupnXmRo6cz6PqY5/7cT+8UPMW5BgONCDC9zrKQihjEkKFTLyqjH8hnluWdpUKe2ma3 WZDLjMbXT7SjQcm+CBr8tLGhp3SrV94= Received: from mail-pj1-f71.google.com (mail-pj1-f71.google.com [209.85.216.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-81-03ZL54_WNDiTxbvzrDzymg-1; Tue, 07 Jul 2020 06:55:02 -0400 X-MC-Unique: 03ZL54_WNDiTxbvzrDzymg-1 Received: by mail-pj1-f71.google.com with SMTP id e10so987011pjt.0 for ; Tue, 07 Jul 2020 03:55:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=u2CpusvBd4Nq44OvXUCk8t7JsvuTA+1iP5kw9pC+33g=; b=JHDIqeThEme671zMDk3ArIAms6GaO91FU7/W21iLAop9TsI/ZlKuBsCQbRzRi8NfKU Ko7imQhwZ1ry6QYtQIakILMuC/P8qw7gFy6DoP/0MkwKxdYSakfwdBhiWINe3YUGdNlD /Rc2bo1CNc5BHg332hVSbj0TZhYfR8RawydN0WURgXQKEtPyH3IRE5tteXSNUq9V9c+g k/eXeoWbK0ciSfNU8MzUZwI2jcw/TKc7dMVcBLGuUt6oxNGK/Lbkb+Ir3S2BRqOJ+1qT vSjTVx6FT3DaUpfyzsmjZOOjcf/ankpdW3PcNCh6LoCk68V+xWKslqypX4lVhmd9mdRz XZBw== X-Gm-Message-State: AOAM530liHdsUv9oM0Aifc9H7gXWZevklajd66tsU0X5fSQgSV7k8raE M2Dx16As8YPNBEXQQooiacA2hTgAScd4tSdhX6aQDTd1gHA1v7IL3+r8UfvtsHad6u54/cqmyFI KRFuoy+90fOfLHOnfntcZQg== X-Received: by 2002:a17:90b:2285:: with SMTP id kx5mr3959943pjb.83.1594119301857; Tue, 07 Jul 2020 03:55:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy4JnOZBOCNfPhTFsfcp37K6iWRLJmt2TprWvUWBb8ar5C8YzMvfLEqXGkT97on2VKu3EKivA== X-Received: by 2002:a17:90b:2285:: with SMTP id kx5mr3959922pjb.83.1594119301619; Tue, 07 Jul 2020 03:55:01 -0700 (PDT) Received: from alrua-x1.borgediget.toke.dk ([2a0c:4d80:42:443::2]) by smtp.gmail.com with ESMTPSA id e20sm5506830pfl.212.2020.07.07.03.55.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jul 2020 03:55:00 -0700 (PDT) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 0BB4F1804ED; Tue, 7 Jul 2020 12:54:56 +0200 (CEST) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= To: Toshiaki Makita , Daniel Borkmann , davem@davemloft.net Cc: netdev@vger.kernel.org, cake@lists.bufferbloat.net, Davide Caratti , Jiri Pirko , Jamal Hadi Salim , Cong Wang In-Reply-To: <934a694b-ae3f-8247-c979-3d062b9804e4@gmail.com> References: <20200706122951.48142-1-toke@redhat.com> <4f7b2b71-8b2a-3aea-637d-52b148af1802@iogearbox.net> <87lfjwl0w7.fsf@toke.dk> <934a694b-ae3f-8247-c979-3d062b9804e4@gmail.com> X-Clacks-Overhead: GNU Terry Pratchett Date: Tue, 07 Jul 2020 12:54:56 +0200 Message-ID: <87fta3lhmn.fsf@toke.dk> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=toke@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cake] [PATCH net] vlan: consolidate VLAN parsing code and limit max parsing depth X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 10:55:06 -0000 Toshiaki Makita writes: > On 2020/07/07 7:44, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >> Daniel Borkmann writes: >>> On 7/6/20 2:29 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >>>> Toshiaki pointed out that we now have two very similar functions to ex= tract >>>> the L3 protocol number in the presence of VLAN tags. And Daniel pointe= d out >>>> that the unbounded parsing loop makes it possible for maliciously craf= ted >>>> packets to loop through potentially hundreds of tags. >>>> >>>> Fix both of these issues by consolidating the two parsing functions an= d >>>> limiting the VLAN tag parsing to an arbitrarily-chosen, but hopefully >>>> conservative, max depth of 32 tags. As part of this, switch over >>>> __vlan_get_protocol() to use skb_header_pointer() instead of >>>> pskb_may_pull(), to avoid the possible side effects of the latter and = keep >>>> the skb pointer 'const' through all the parsing functions. >>>> >>>> Reported-by: Toshiaki Makita >>>> Reported-by: Daniel Borkmann >>>> Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesse= s in the presence of VLANs") >>>> Signed-off-by: Toke H=C3=B8iland-J=C3=B8rgensen >>>> --- >>>> include/linux/if_vlan.h | 57 ++++++++++++++++----------------------= --- >>>> 1 file changed, 22 insertions(+), 35 deletions(-) >>>> >>>> diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h >>>> index 427a5b8597c2..855d16192e6a 100644 >>>> --- a/include/linux/if_vlan.h >>>> +++ b/include/linux/if_vlan.h >>>> @@ -25,6 +25,8 @@ >>>> #define VLAN_ETH_DATA_LEN=091500=09/* Max. octets in payload=09 */ >>>> #define VLAN_ETH_FRAME_LEN=091518=09/* Max. octets in frame sans FC= S */ >>>> =20 >>>> +#define VLAN_MAX_DEPTH=0932=09=09/* Max. number of nested VLAN tags p= arsed */ >>>> + >>> >>> Any insight on limits of nesting wrt QinQ, maybe from spec side? >>=20 >> Don't think so. Wikipedia says this: >>=20 >> 802.1ad is upward compatible with 802.1Q. Although 802.1ad is limited >> to two tags, there is no ceiling on the standard limiting a single >> frame to more than two tags, allowing for growth in the protocol. In >> practice Service Provider topologies often anticipate and utilize >> frames having more than two tags. >>=20 >>> Why not 8 as max, for example (I'd probably even consider a depth like >>> this as utterly broken setup ..)? >>=20 >> I originally went with 8, but chickened out after seeing how many places >> call the parsing function. While I do agree that eight tags is... somewh= at >> excessive... I was trying to make absolutely sure no one would hit this >> limit in normal use. See also https://xkcd.com/1172/ :) > > Considering that XMIT_RECURSION_LIMIT is 8, I also think 8 is sufficient. Alright, fair enough, I'll send a v2 with a limit of 8 :) -Toke