Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only
From: Linus Lüssing Date: Mon, 10 Mar 2014 22:25:25 +0100 > Without this check someone could easily create a denial of service > by injecting multicast-specific queries to enable the bridge > snooping part if no real querier issuing periodic general queries > is present on the link which would result in the bridge wrongly > shutting down ports for multicast traffic as the bridge did not learn > about these listeners. > > With this patch the snooping code is enabled upon receiving valid, > general queries only. > > Signed-off-by: Linus Lüssing Applied. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only
On Mon, Mar 10, 2014 at 11:56:00PM +0100, Hannes Frederic Sowa wrote: > On Mon, Mar 10, 2014 at 10:25:25PM +0100, Linus Lüssing wrote: > > br_multicast_query_received(br, port, &br->ip6_querier, > > - !ipv6_addr_any(&ip6h->saddr), max_delay); > > + !ipv6_addr_any(&ip6h->saddr), > > + is_general_query, max_delay); > > Just a small nit, maybe for a later patch: > > After your change 6565b9eeef194a ("bridge: multicast: add sanity check > for query source addresses"), which is still in -net only, we could > replace !ipv6_addr_any(&ip6h->saddr) with '1'? Aiy, good point, that part is obsolete now and br_multicast_query_received() could be simplified, right. Going to do that once we are out of deep-RC territory again and/or the according commit is available in net-next. Thanks for the hint! Cheers, Linus signature.asc Description: Digital signature
Re: [PATCHv2 2/2] bridge: multicast: enable snooping on general queries only
On Mon, Mar 10, 2014 at 10:25:25PM +0100, Linus Lüssing wrote: > br_multicast_query_received(br, port, &br->ip6_querier, > - !ipv6_addr_any(&ip6h->saddr), max_delay); > + !ipv6_addr_any(&ip6h->saddr), > + is_general_query, max_delay); Just a small nit, maybe for a later patch: After your change 6565b9eeef194a ("bridge: multicast: add sanity check for query source addresses"), which is still in -net only, we could replace !ipv6_addr_any(&ip6h->saddr) with '1'? Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/