From patchwork Mon Jun 1 12:58:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ido Schimmel X-Patchwork-Id: 218074 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0BEAC433DF for ; Mon, 1 Jun 2020 12:59:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 92B822077D for ; Mon, 1 Jun 2020 12:59:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="XFIma2hN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725886AbgFAM7g (ORCPT ); Mon, 1 Jun 2020 08:59:36 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56005 "EHLO out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725838AbgFAM7e (ORCPT ); Mon, 1 Jun 2020 08:59:34 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id DB61C5C00EC; Mon, 1 Jun 2020 08:59:32 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 01 Jun 2020 08:59:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=E0wceg3xkmnmO0owKD+Ur3r9Ne13G1p5ItMUZ5WVi/g=; b=XFIma2hN 1X76BLHIwxM2l+ebuv19KRWJz2Kh3J3V4+1HvD+tJpXOleuEdbpRc9hNVlHFetn/ jXVKIr/TwDdbUR9AdL4CFLCWMRez16MIRCVUyZ7eTEdqedl1ho1FR4FW0txIIgB5 qOQT90jyES/eIJtAQeNgEeg42ACauHA7x6K/1MdLTbLDQjsi4uD6pr1se3Mih4BU UmaZWuIpRRkUY606QqdFLsNgng/owCwIbKry49iRQhcu3EB/+sJVolmkjebfzpMa lihuye/NtDLF8R1E+btqrfbVAH8GD2jTZ46sfdI5yLTfdHIli1JhoIeJfExVTEUT 9JDrVkdnMnbK9g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudefhedgheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgjfhgggfestdekre dtredttdenucfhrhhomhepkfguohcuufgthhhimhhmvghluceoihguohhstghhsehiugho shgthhdrohhrgheqnecuggftrfgrthhtvghrnhepteetjeffgeeljeduffelfffhheeule eltdejvdevgfeuleffvedvteeiteefhfehnecuffhomhgrihhnpehivghtfhdrohhrghen ucfkphepjeelrddujeeirddvgedruddtjeenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpehiughoshgthhesihguohhstghhrdhorhhg X-ME-Proxy: Received: from splinter.mtl.com (bzq-79-176-24-107.red.bezeqint.net [79.176.24.107]) by mail.messagingengine.com (Postfix) with ESMTPA id EFA24328005A; Mon, 1 Jun 2020 08:59:30 -0400 (EDT) From: Ido Schimmel To: netdev@vger.kernel.org, bridge@lists.linux-foundation.org Cc: davem@davemloft.net, kuba@kernel.org, roopa@cumulusnetworks.com, nikolay@cumulusnetworks.com, dlstevens@us.ibm.com, allas@mellanox.com, mlxsw@mellanox.com, Ido Schimmel Subject: [PATCH net 2/2] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Date: Mon, 1 Jun 2020 15:58:55 +0300 Message-Id: <20200601125855.1751343-3-idosch@idosch.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200601125855.1751343-1-idosch@idosch.org> References: <20200601125855.1751343-1-idosch@idosch.org> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Ido Schimmel When proxy mode is enabled the vxlan device might reply to Neighbor Solicitation (NS) messages on behalf of remote hosts. In case the NS message includes the "Source link-layer address" option [1], the vxlan device will use the specified address as the link-layer destination address in its reply. To avoid an infinite loop, break out of the options parsing loop when encountering an option with length zero and disregard the NS message. This is consistent with the IPv6 ndisc code and RFC 4886 which states that "Nodes MUST silently discard an ND packet that contains an option with length zero" [2]. [1] https://tools.ietf.org/html/rfc4861#section-4.3 [2] https://tools.ietf.org/html/rfc4861#section-4.6 Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()") Signed-off-by: Ido Schimmel --- drivers/net/vxlan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index a5b415fed11e..779e56c43d27 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1924,6 +1924,10 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request, ns_olen = request->len - skb_network_offset(request) - sizeof(struct ipv6hdr) - sizeof(*ns); for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) { + if (!ns->opt[i + 1]) { + kfree_skb(reply); + return NULL; + } if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) { daddr = ns->opt + i + sizeof(struct nd_opt_hdr); break;