From patchwork Mon Feb 25 16:24:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Nazarov X-Patchwork-Id: 10828861 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2868517E6 for ; Mon, 25 Feb 2019 16:24:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0B8E52849D for ; Mon, 25 Feb 2019 16:24:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F3C04284D1; Mon, 25 Feb 2019 16:24:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D1DF284B1 for ; Mon, 25 Feb 2019 16:24:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728014AbfBYQYV (ORCPT ); Mon, 25 Feb 2019 11:24:21 -0500 Received: from forward500j.mail.yandex.net ([5.45.198.250]:58442 "EHLO forward500j.mail.yandex.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727684AbfBYQYV (ORCPT ); Mon, 25 Feb 2019 11:24:21 -0500 Received: from mxback19j.mail.yandex.net (mxback19j.mail.yandex.net [IPv6:2a02:6b8:0:1619::95]) by forward500j.mail.yandex.net (Yandex) with ESMTP id D7A6F11C17B4; Mon, 25 Feb 2019 19:24:16 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback19j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id baqPwYKFFv-OF1eataE; Mon, 25 Feb 2019 19:24:16 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1551111856; bh=RbQFsHbfgaKGnwDtKHd+fgkwRH2XIk4TRkcnvu6pJes=; h=Message-Id:Cc:Subject:In-Reply-To:Date:References:To:From; b=iyCNh9HOpWdP7WVFtiY10rm42P19s6SOMXghY0wjVjy0aC51VAzI4iD+D4/WJVO8z Nkx7pK5KSpiJuQ58SC/OFohyA1TfBq/28bgrbjLQaIk2Wd7jUUDjYqJmacXbhPoo7Q Pc0KZrS1B6LnA7XCDp0lSTxdeNNkcfStxwDy7qko= Authentication-Results: mxback19j.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by myt5-f1576e7b5bad.qloud-c.yandex.net with HTTP; Mon, 25 Feb 2019 19:24:15 +0300 From: Nazarov Sergey To: David Miller Cc: "paul@paul-moore.com" , "netdev@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "kuznet@ms2.inr.ac.ru" , "yoshfuji@linux-ipv6.org" In-Reply-To: <20190224.173328.1032826011262803545.davem@davemloft.net> References: <20190218.172544.1436352995315454863.davem@davemloft.net> <8873761550853329@myt6-67cd1de25d8a.qloud-c.yandex.net> <33533951550857169@myt3-2475c4d2af83.qloud-c.yandex.net> <20190224.173328.1032826011262803545.davem@davemloft.net> Subject: [PATCH v2 1/2] NETWORKING: avoid use IPCB in cipso_v4_error MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 25 Feb 2019 19:24:15 +0300 Message-Id: <52295911551111855@myt5-f1576e7b5bad.qloud-c.yandex.net> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Add __icmp_send function having ip_options struct parameter Signed-off-by: Sergey Nazarov Reviewed-by: Paul Moore --- include/net/icmp.h | 9 ++++++++- net/ipv4/icmp.c | 7 ++++--- 2 files changed, 12 insertions(+), 4 deletions(-) --- diff --git a/include/net/icmp.h b/include/net/icmp.h index 6ac3a5b..e0f709d 100644 --- a/include/net/icmp.h +++ b/include/net/icmp.h @@ -22,6 +22,7 @@ #include #include +#include struct icmp_err { int errno; @@ -39,7 +40,13 @@ struct icmp_err { struct sk_buff; struct net; -void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info); +void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + const struct ip_options *opt); +static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) +{ + __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt); +} + int icmp_rcv(struct sk_buff *skb); int icmp_err(struct sk_buff *skb, u32 info); int icmp_init(void); diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 065997f..3f24414 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -570,7 +570,8 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) * MUST reply to only the first fragment. */ -void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) +void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + const struct ip_options *opt) { struct iphdr *iph; int room; @@ -691,7 +692,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) iph->tos; mark = IP4_REPLY_MARK(net, skb_in->mark); - if (ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in)) + if (__ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in, opt)) goto out_unlock; @@ -742,7 +743,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) local_bh_enable(); out:; } -EXPORT_SYMBOL(icmp_send); +EXPORT_SYMBOL(__icmp_send); static void icmp_socket_deliver(struct sk_buff *skb, u32 info) From patchwork Mon Feb 25 16:27:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Nazarov X-Patchwork-Id: 10828875 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6B53317E6 for ; Mon, 25 Feb 2019 16:27:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 53A9F2A9D7 for ; Mon, 25 Feb 2019 16:27:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 424242ABFB; Mon, 25 Feb 2019 16:27:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D3B982A9D7 for ; Mon, 25 Feb 2019 16:27:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727883AbfBYQ1V (ORCPT ); Mon, 25 Feb 2019 11:27:21 -0500 Received: from forward500j.mail.yandex.net ([5.45.198.250]:59511 "EHLO forward500j.mail.yandex.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727684AbfBYQ1V (ORCPT ); Mon, 25 Feb 2019 11:27:21 -0500 Received: from mxback2g.mail.yandex.net (mxback2g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:163]) by forward500j.mail.yandex.net (Yandex) with ESMTP id 175D911C17D9; Mon, 25 Feb 2019 19:27:17 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback2g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id gvUJQ4aZ97-RFDOCxVO; Mon, 25 Feb 2019 19:27:16 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1551112036; bh=I36IfuBbAjK63QKcpNfB6EubHF/EMuJvQ34Xoh7GZCk=; h=Message-Id:Cc:Subject:In-Reply-To:Date:References:To:From; b=NmWxA3pdb+vDZyf7XeDtxBCTccdOtWBx7MaJAnL83X/IcfuhXj3YzQf+VpQABQOLr ME0Y+sn1eGh+YxTVmGhVRYL3jn27sOyK9dy1UwhvSLuErJWkqN5UOe9om6LKm/kJgi XbYP1XJXmOSypAKdMjotFIMf/ME6kMAXulgDOmr4= Authentication-Results: mxback2g.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by myt2-dc4bba9bb23c.qloud-c.yandex.net with HTTP; Mon, 25 Feb 2019 19:27:15 +0300 From: Nazarov Sergey To: David Miller Cc: "paul@paul-moore.com" , "netdev@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "kuznet@ms2.inr.ac.ru" , "yoshfuji@linux-ipv6.org" In-Reply-To: <20190224.173328.1032826011262803545.davem@davemloft.net> References: <20190218.172544.1436352995315454863.davem@davemloft.net> <8873761550853329@myt6-67cd1de25d8a.qloud-c.yandex.net> <33533951550857169@myt3-2475c4d2af83.qloud-c.yandex.net> <20190224.173328.1032826011262803545.davem@davemloft.net> Subject: [PATCH v2 2/2] NETWORKING: avoid use IPCB in cipso_v4_error MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 25 Feb 2019 19:27:15 +0300 Message-Id: <3666661551112035@myt2-dc4bba9bb23c.qloud-c.yandex.net> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Extract IP options in cipso_v4_error and use __icmp_send. Signed-off-by: Sergey Nazarov Acked-by: Paul Moore --- include/net/ip.h | 2 ++ net/ipv4/cipso_ipv4.c | 17 +++++++++++++++-- net/ipv4/ip_options.c | 22 +++++++++++++++++----- 3 files changed, 34 insertions(+), 7 deletions(-) --- diff --git a/include/net/ip.h b/include/net/ip.h index 8866bfc..f0e8d06 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -667,6 +667,8 @@ static inline int ip_options_echo(struct net *net, struct ip_options *dopt, } void ip_options_fragment(struct sk_buff *skb); +int __ip_options_compile(struct net *net, struct ip_options *opt, + struct sk_buff *skb, __be32 *info); int ip_options_compile(struct net *net, struct ip_options *opt, struct sk_buff *skb); int ip_options_get(struct net *net, struct ip_options_rcu **optp, diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 777fa3b..eff86a7 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -1735,13 +1735,26 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) */ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) { + unsigned char optbuf[sizeof(struct ip_options) + 40]; + struct ip_options *opt = (struct ip_options *)optbuf; + if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES) return; + /* + * We might be called above the IP layer, + * so we can not use icmp_send and IPCB here. + */ + + memset(opt, 0, sizeof(struct ip_options)); + opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); + if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL)) + return; + if (gateway) - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0); + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt); else - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0); + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt); } /** diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c index ed194d4..32a3504 100644 --- a/net/ipv4/ip_options.c +++ b/net/ipv4/ip_options.c @@ -251,8 +251,9 @@ static void spec_dst_fill(__be32 *spec_dst, struct sk_buff *skb) * If opt == NULL, then skb->data should point to IP header. */ -int ip_options_compile(struct net *net, - struct ip_options *opt, struct sk_buff *skb) +int __ip_options_compile(struct net *net, + struct ip_options *opt, struct sk_buff *skb, + __be32 *info) { __be32 spec_dst = htonl(INADDR_ANY); unsigned char *pp_ptr = NULL; @@ -468,11 +469,22 @@ int ip_options_compile(struct net *net, return 0; error: - if (skb) { - icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24)); - } + if (info) + *info = htonl((pp_ptr-iph)<<24); return -EINVAL; } + +int ip_options_compile(struct net *net, + struct ip_options *opt, struct sk_buff *skb) +{ + int ret; + __be32 info; + + ret = __ip_options_compile(net, opt, skb, &info); + if (ret != 0 && skb) + icmp_send(skb, ICMP_PARAMETERPROB, 0, info); + return ret; +} EXPORT_SYMBOL(ip_options_compile); /*