From: Maxim Mikityanskiy <maximmi@nvidia.com>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>,
"Florian Westphal" <fw@strlen.de>
Cc: Young Xiao <92siuyang@gmail.com>, <netdev@vger.kernel.org>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Matthieu Baerts <matthieu.baerts@tessares.net>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>, Patrick McHardy <kaber@trash.net>,
Jesper Dangaard Brouer <brouer@redhat.com>,
Paolo Abeni <pabeni@redhat.com>,
Christoph Paasch <cpaasch@apple.com>,
Peter Krystad <peter.krystad@linux.intel.com>
Subject: Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options
Date: Thu, 10 Jun 2021 14:19:38 +0300 [thread overview]
Message-ID: <cddbb9c5-58d2-64c4-f77b-9991ec977dc3@nvidia.com> (raw)
In-Reply-To: <87h7i6n1us.fsf@toke.dk>
On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote:
> Maxim Mikityanskiy <maximmi@nvidia.com> writes:
>
>> The TCP option parser in cake qdisc (cake_get_tcpopt and
>> cake_tcph_may_drop) could read one byte out of bounds. When the length
>> is 1, the execution flow gets into the loop, reads one byte of the
>> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
>> one more byte, which exceeds the length of 1.
>>
>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
>> out of bounds when parsing TCP options.").
>>
>> Cc: Young Xiao <92siuyang@gmail.com>
>> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
>
> Thanks for fixing this!
>
> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>
Could you also review whether Florian's comment on patch 1 is relevant
to this patch too? I have concerns about cake_get_tcphdr, which returns
`skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize),
buf)`. Although I don't see a way for it to get out of bounds (it will
read garbage instead of TCP header in the worst case), such code doesn't
look robust.
It's not possible for it to get out of bounds, because there is a call
to skb_header_pointer above with sizeof(_tcph), which ensures that the
SKB has at least 20 bytes after the beginning of the TCP header, which
means that the second skb_header_pointer will either point to SKB (where
we have at least 20 bytes) or to buf (which is allocated by the caller,
so the caller shouldn't overflow its own buffer).
On the other hand, parsing garbage doesn't look like a valid behavior
compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we
may want to handle it, for example:
return skb_header_pointer(skb, offset,
- min(__tcp_hdrlen(tcph), bufsize), buf);
+ min(max(sizeof(struct tcphdr),
__tcp_hdrlen(tcph)), bufsize), buf);
What do you think? Or did I just miss some early check for doff?
(I realize it's egress path and the packets produced by the system
itself are unlikely to have bad doff, but it's not impossible, for
example, with AF_PACKET, BPF hooks in tc, etc.)
next prev parent reply other threads:[~2021-06-10 11:19 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
2021-06-09 14:51 ` Florian Westphal
2021-06-10 7:05 ` Maxim Mikityanskiy
2021-06-10 8:56 ` Florian Westphal
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
2021-06-10 0:07 ` Mat Martineau
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
2021-06-09 21:51 ` Toke Høiland-Jørgensen
2021-06-10 11:19 ` Maxim Mikityanskiy [this message]
2021-06-10 14:33 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cddbb9c5-58d2-64c4-f77b-9991ec977dc3@nvidia.com \
--to=maximmi@nvidia.com \
--cc=92siuyang@gmail.com \
--cc=brouer@redhat.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kaber@trash.net \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=matthieu.baerts@tessares.net \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=peter.krystad@linux.intel.com \
--cc=toke@toke.dk \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.