Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't... | netdev

[PATCH net 0/2] IPv6: reply ICMP error with fragment doesn't contain all headers · Hangbin Liu <hidden> · 2020-10-07
[PATCH net 1/2] ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition · Hangbin Liu <hidden> · 2020-10-07
[PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-07
Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Eric Dumazet <hidden> · 2020-10-07
Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-08
Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Eric Dumazet <hidden> · 2020-10-08
Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-09
Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Jakub Kicinski <kuba@kernel.org> · 2020-10-07
Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-08
[PATCHv2 net 0/2] IPv6: reply ICMP error with fragment doesn't contain all headers · Hangbin Liu <hidden> · 2020-10-21
[PATCHv2 net 1/2] ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition · Hangbin Liu <hidden> · 2020-10-21
[PATCHv2 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-21
Re: [PATCHv2 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Willem de Bruijn <willemdebruijn.kernel@gmail.com> · 2020-10-21
Re: [PATCHv2 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-22
Re: [PATCHv2 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Willem de Bruijn <willemdebruijn.kernel@gmail.com> · 2020-10-22
[PATCHv3 net 0/2] IPv6: reply ICMP error if fragment doesn't contain all headers · Hangbin Liu <hidden> · 2020-10-23
[PATCHv3 net 1/2] ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition · Hangbin Liu <hidden> · 2020-10-23
[PATCHv3 net 2/2] IPv6: reply ICMP error if the first fragment doesn't include all headers · Hangbin Liu <hidden> · 2020-10-23
Re: [PATCHv3 net 2/2] IPv6: reply ICMP error if the first fragment doesn't include all headers · Jakub Kicinski <kuba@kernel.org> · 2020-10-23
[PATCHv4 net 0/2] IPv6: reply ICMP error if fragment doesn't contain all headers · Hangbin Liu <hidden> · 2020-10-26
[PATCHv4 net 1/2] ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition · Hangbin Liu <hidden> · 2020-10-26
[PATCHv4 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-26
Re: [PATCHv4 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Georg Kohmann (geokohma) <hidden> · 2020-10-26
Re: [PATCHv4 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-26
Re: [PATCHv4 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Georg Kohmann (geokohma) <hidden> · 2020-10-26
[PATCHv5 net 0/2] IPv6: reply ICMP error if fragment doesn't contain all headers · Hangbin Liu <hidden> · 2020-10-27
[PATCHv5 net 1/2] ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition · Hangbin Liu <hidden> · 2020-10-27
[PATCHv5 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-27
Re: [PATCHv5 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Georg Kohmann (geokohma) <hidden> · 2020-10-27
Re: [PATCHv5 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-27
Re: [PATCHv5 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Georg Kohmann (geokohma) <hidden> · 2020-10-27
Re: [PATCHv5 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Willem de Bruijn <willemdebruijn.kernel@gmail.com> · 2020-10-30
Re: [PATCHv5 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Georg Kohmann (geokohma) <hidden> · 2020-10-30
[PATCHv6 net 0/2] IPv6: reply ICMP error if fragment doesn't contain all headers · Hangbin Liu <hidden> · 2020-10-27
[PATCHv6 net 1/2] ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition · Hangbin Liu <hidden> · 2020-10-27
[PATCHv6 net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers · Hangbin Liu <hidden> · 2020-10-27
Re: [PATCHv6 net 0/2] IPv6: reply ICMP error if fragment doesn't contain all headers · Jakub Kicinski <kuba@kernel.org> · 2020-10-31

Re: [PATCH net 2/2] IPv6: reply ICMP error if the first fragment don't include all headers

From: Hangbin Liu <hidden>
Date: 2020-10-09 10:07:53

On Thu, Oct 08, 2020 at 11:47:00AM +0200, Eric Dumazet wrote:


On 10/8/20 10:30 AM, Hangbin Liu wrote:

quoted

@@ -282,6 +285,21 @@ static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev,
 		}
 	}
 
+	/* RFC 8200, Section 4.5 Fragment Header:
+	 * If the first fragment does not include all headers through an
+	 * Upper-Layer header, then that fragment should be discarded and
+	 * an ICMP Parameter Problem, Code 3, message should be sent to
+	 * the source of the fragment, with the Pointer field set to zero.
+	 */
+	nexthdr = hdr->nexthdr;
+	offset = ipv6_skip_exthdr(skb, skb_transport_offset(skb), &nexthdr, &frag_off);
+	if (frag_off == htons(IP6_MF) && !pskb_may_pull(skb, offset + 1)) {
+		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
+		icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0);
+		rcu_read_unlock();
+		return NULL;
+	}
+
 	rcu_read_unlock();
 
 	/* Must drop socket now because of tproxy. */

Ouch, this is quite a buggy patch.

I doubt we want to add yet another ipv6_skip_exthdr() call in IPv6 fast path.

Surely the presence of NEXTHDR_FRAGMENT is already tested elsewhere ?

Would you like to help point where NEXTHDR_FRAGMENT was tested before IPv6
defragment?

I think we have to ask the question : Should routers enforce the rule, or
only end points ?

From IPv6 Core Conformance test[1], it applied to both router and host(It will
marked specifically if a test only for router).

End points must handle NEXTHDR_FRAGMENT, in ipv6_frag_rcv()

Yes, I was also try put the check there, but it looks that would be too late
if module nf_defrag_ipv6 loaded

quoted

Also ipv6_skip_exthdr() can return an error.

it returns -1 as error, If we tested it by (offset + 1 > skb->len), does
that count as an error handler?

If there is an error, then you want to send the ICMP, right ?

No, this is only for fragment header with no enough Upper-Layer header, which need
send ICMP Parameter Problem, Code 3 specifically. For other errors, I guess
the other code will take care of it.

So for -1 return, I just skipped it.

The (offset + 1) expression will become 0, and surely the test will be false,
so you wont send the ICMP...

[1] v6LC.1.3.6: First Fragment Doesn’t Contain All Headers part A, B,
C and D at https://ipv6ready.org/docs/Core_Conformance_5_0_0.pdf

Thanks
Hangbin

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help