subject:"Re\: \[PATCHv2 2\/2\] bridge\: multicast\: enable snooping on general queries only"

Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only

2014-03-11 Thread David Miller

From: Linus Lüssing 
Date: Mon, 10 Mar 2014 22:25:25 +0100

> Without this check someone could easily create a denial of service
> by injecting multicast-specific queries to enable the bridge
> snooping part if no real querier issuing periodic general queries
> is present on the link which would result in the bridge wrongly
> shutting down ports for multicast traffic as the bridge did not learn
> about these listeners.
> 
> With this patch the snooping code is enabled upon receiving valid,
> general queries only.
> 
> Signed-off-by: Linus Lüssing 

Applied.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only

2014-03-10 Thread Linus Lüssing

On Mon, Mar 10, 2014 at 11:56:00PM +0100, Hannes Frederic Sowa wrote:
> On Mon, Mar 10, 2014 at 10:25:25PM +0100, Linus Lüssing wrote:
> > br_multicast_query_received(br, port, &br->ip6_querier,
> > -   !ipv6_addr_any(&ip6h->saddr), max_delay);
> > +   !ipv6_addr_any(&ip6h->saddr),
> > +   is_general_query, max_delay);
> 
> Just a small nit, maybe for a later patch:
> 
> After your change 6565b9eeef194a ("bridge: multicast: add sanity check
> for query source addresses"), which is still in -net only, we could
> replace !ipv6_addr_any(&ip6h->saddr) with '1'?

Aiy, good point, that part is obsolete now and
br_multicast_query_received() could be simplified, right. Going
to do that once we are out of deep-RC territory again and/or
the according commit is available in net-next. Thanks for the
hint!

Cheers, Linus


signature.asc
Description: Digital signature

Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only

2014-03-10 Thread Hannes Frederic Sowa

On Mon, Mar 10, 2014 at 10:25:25PM +0100, Linus Lüssing wrote:
>   br_multicast_query_received(br, port, &br->ip6_querier,
> - !ipv6_addr_any(&ip6h->saddr), max_delay);
> + !ipv6_addr_any(&ip6h->saddr),
> + is_general_query, max_delay);

Just a small nit, maybe for a later patch:

After your change 6565b9eeef194a ("bridge: multicast: add sanity check
for query source addresses"), which is still in -net only, we could
replace !ipv6_addr_any(&ip6h->saddr) with '1'?

Greetings,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only

Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only

Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only

3 matches

Site Navigation

Mail list logo

Footer information