On Tue, Mar 1, 2016 at 7:00 PM, Alan Cox <a...@linux.intel.com> wrote: >> More thorough validation of the header contents is not necessarily >> hard. The following validates the address, including optional >> repeaters. >> >> static bool ax25_validate_hard_header(const char *ll_header, >> unsigned short len) >> { >> ax25_digi digi; >> >> return !ax25_addr_parse(ll_header, len, NULL, NULL, &digi, >> NULL, NULL); >> } > > This also breaks because there is a KISS header byte on an AX.25 > transmission and it is valid to send a KISS control frame via > SOCK_PACKET but it cannot be generated by other protocols. > > Basically everything hitting an AX.25 port is either a zero byte > followed by an AX.25 frame, or a KISS frame the first of which is non > zero and which is used to set parameters on the radio side. > > The AX.25 device level drivers are simply written to be robust if > thrown partial frames.
That is preferable, but unfortunately does not seem to be true in general. A quick search for ethhdr in drivers/net/ethernet shows, for instance, bnx2x_select_queue casting skb->data to an ethernet header. Reading nonsense in that particular function is quite safe and given the skbuff layout (skb_shared_info) code will never read beyond an allocated region. But that was just the first occurrence I found. efx_tso_check_protocol is another example. The stack itself also has a few unconditional uses of dev->hard_header_len as lower bound on packet length. dump_ipv4_mac_header in net/ipv4/netfilter/nf_log_ipv4.c iterates over bytes and logs them to the system log. nla_put(inst->skb, FULA_HWHEADER, skb->dev->hard_header_len, hwhdrp) in net/netfilter/nfnetlink_log passes bytes up to userspace. With ebtables or tc + act_ipt, it might be possible to construct a path from a packet socket through one of these. I'm not sure. Regardless of the immediate fix, these should probably be made more robust against short packets. > The other thing that concerns me about this added logic in general is > that you are also breaking test tools that want to deliberately send > corrupt frames to certain classes of interface. I'm not sure how big an > issue that is given we always for example padded ethernet frames > properly, but the more validation we do for a privileged interface the > more we prevent applications for testing network behaviour from being > able to run on Linux. Good point. Given how a minimum header length check already causes so much problems, I hesitate to add more validation logic unconditionally. > Possibly there should be a CAP_SYS_RAWIO test but > making it impossible is a bad step. Okay. To avoid overloading this capability, perhaps a per-device sysctl analogous to net.ipv4.conf.$DEV.accept_local? I'll start with the patch to replaces ll_header_truncate with a validate() + a separate minimal ax25 implementation. > > Alan > > > > > > >