From patchwork Wed Dec 29 16:53:41 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Albert Pretorius <albertpretorius@yahoo.co.uk>
X-Patchwork-Id: 76930
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id EDE92B70E0
	for <patchwork-incoming@ozlabs.org>;
	Thu, 30 Dec 2010 03:54:06 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753395Ab0L2Qxo (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 29 Dec 2010 11:53:44 -0500
Received: from nm2-vm0.bullet.mail.ird.yahoo.com ([77.238.189.199]:23646
	"HELO nm2-vm0.bullet.mail.ird.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with SMTP id S1753508Ab0L2Qxn convert
	rfc822-to-8bit (ORCPT <rfc822;netdev@vger.kernel.org>);
	Wed, 29 Dec 2010 11:53:43 -0500
Received: from [77.238.189.57] by nm2.bullet.mail.ird.yahoo.com with NNFMP;
	29 Dec 2010 16:53:41 -0000
Received: from [212.82.108.248] by tm10.bullet.mail.ird.yahoo.com with NNFMP;
	29 Dec 2010 16:53:41 -0000
Received: from [127.0.0.1] by omp1013.mail.ird.yahoo.com with NNFMP;
	29 Dec 2010 16:53:41 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 904475.29333.bm@omp1013.mail.ird.yahoo.com
Received: (qmail 34764 invoked by uid 60001); 29 Dec 2010 16:53:41 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024;
	t=1293641621; bh=pR2u5LDY6PiEcemIZmAGgcVveXoNMIJ0xjpe7fQQaik=;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=n/JcdZxwLOGnLgBC+2hcip2LZRTPF5XxfLUHW71svmSyT7YC/1iKAUwD7VpNSo00ouiKLP0LG+siVG0j8AgDzF0F77Vbyn7LJm28zBpG5Hk5m9DyjuWcyptKseji6bg3eP3qpHFFtQNA2BuCQa2UZbKgUXVBPx7pl2Q/TKOVDOU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=DKKUc2qmqeZO+6lnxmNwGXFZe4DGB2dVC6VPfjcdWh3l6Pu7KQRZtQF6Dq3FtpM5kYonEdjV/5Xdl+wlPsyx3V36pNyFlY0RA+343/wL+wNTWfzMVYBY5koJiKzEHBQCYY43NygPBR6FH73JJrt4RPisWFq5/ULxhzXK2VHV4ZI=;
Message-ID: <650920.34739.qm@web29014.mail.ird.yahoo.com>
X-YMail-OSG: T7NdvM0VM1lQfj9YbP4NoPCGF6D9pwmOI3bO1c9AJ2Ulw5I
	gMuQ.oGI5CQp5oP6Z5bZxNhmc6fh2TkCc2Ou8jO5f0AYu77eT3lJRZSTlWZq
	keXieoLGjX4vq.y5tE2CiFPTRgthWck.Jd336MuPtB_DU0EBbzuE60fRMG01
	njZVRz4HvBjUw2mQM55kHVZNEWIvhZonSqsm9_5C8WP5etpM_Jp8eFeK376f
	v.r5nbVydYIkAxB2ZwimNHuV9f80YzlW1unnia1_OPHfb.gFm_eU01EJoYfg
	EcQLwFXtp73duGbSu0gjcl8DCI9ebiyKVPj7.r3tquaU4d4YpS6c0rVH0l4u
	RSsxiyW1AVLBE3RPX_mfxei6zSj4vwgS_g1_K
Received: from [91.212.94.4] by web29014.mail.ird.yahoo.com via HTTP;
	Wed, 29 Dec 2010 16:53:41 GMT
X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259
Date: Wed, 29 Dec 2010 16:53:41 +0000 (GMT)
From: Albert Pretorius <albertpretorius@yahoo.co.uk>
Subject: Re: IPV6 loopback bound socket succeeds connecting to remote host
To: David Miller <davem@davemloft.net>,
	Shan Wei <shanwei@cn.fujitsu.com>
Cc: netdev@vger.kernel.org, yoshfuji@linux-ipv6.org, pekkas@netcore.fi,
	jmorris@namei.org
In-Reply-To: <4D11A370.9060901@cn.fujitsu.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Hi
I tested this on 2.6.37-rc8 but unfortunately that does not address the problem. I suspect the ip_forward.c change only addresses the routing of data when /proc/sys/net/ipv6/conf/all/forwarding is enabled.

The original patch is required to prevent the kernel from sending a packet on the network with a source address of loopback. The kernel should not do that regardless of whether the packet will be dropped by the network (not routed).

Also from an application point of view I believe the behaviour should be the same for IPV4 and IPV6 when binding to loopback and connecting to remote address (i.e. EINVAL).

A further change is required to avoid the kernel acting on the reception of a packet with source address of loopback. Currently it will generate an ICMP6 dest unreachable, or pass the packet to an application listening on that port.

This patch (which includes the previous) seems to addresses the above problems:

---8<---
--->8---

best regards,
Albert Pretorius


--- On Wed, 22/12/10, Shan Wei <shanwei@cn.fujitsu.com> wrote:

> From: Shan Wei <shanwei@cn.fujitsu.com>
> Subject: Re: IPV6 loopback bound socket succeeds connecting to remote host
> To: "David Miller" <davem@davemloft.net>
> Cc: albertpretorius@yahoo.co.uk, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org, pekkas@netcore.fi, jmorris@namei.org
> Date: Wednesday, 22 December, 2010, 7:06
> David Miller wrote, at 12/20/2010
> 02:43 PM:
> > From: Shan Wei <shanwei@cn.fujitsu.com>
> > Date: Mon, 20 Dec 2010 14:31:28 +0800
> > 
> >> David Miller wrote, at 12/17/2010 04:18 AM:
> >>> Your approach will only modify socket based
> route handling, it will
> >>> not handle the ipv6 forwarding case which as
> per the quoted RFC
> >>> sections must be handled too.
> >>
> >> For the ipv6 forwarding case, we have done the
> check in ip6_forward().
> >>
> >>  493           
>      int addrtype =
> ipv6_addr_type(&hdr->saddr);
> >>  494 
> >>  495           
>      /* This check is security critical.
> */
> >>  496           
>      if (addrtype == IPV6_ADDR_ANY ||
> >>  497           
>          addrtype &
> (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
> >>  498           
>              goto
> error;
> > 
> > Indeed, thanks for pointing this out.
> 
> Notice that the state in patchwork is “Changes
> Requested”, what should i do 
> now?  I have no idead which part of this patch should
> be changed.
> 
> -- 
> Best Regards
> -----
> Shan Wei
>
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index a83e920..a374100 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -108,7 +108,7 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
     * of loopback must be dropped.
     */
    if (!(dev->flags & IFF_LOOPBACK) &&
-       ipv6_addr_loopback(&hdr->daddr))
+       (ipv6_addr_loopback(&hdr->daddr) | ipv6_addr_loopback(&hdr->saddr)))
        goto err;

    skb->transport_header = skb->network_header + sizeof(*hdr);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 94b5bf1..0257998 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -919,6 +919,7 @@ static int ip6_dst_lookup_tail(struct sock *sk,
 {
    int err;
    struct net *net = sock_net(sk);
+   struct net_device *dev_out;

    if (*dst == NULL)
        *dst = ip6_route_output(net, sk, fl);
@@ -926,6 +927,13 @@ static int ip6_dst_lookup_tail(struct sock *sk,
    if ((err = (*dst)->error))
        goto out_err_release;

+   dev_out = ip6_dst_idev(*dst)->dev;
+   if (dev_out && ipv6_addr_loopback(&fl->fl6_src) &&
+       !(dev_out->flags & IFF_LOOPBACK)) {
+       err = -EINVAL;
+       goto out_err_release;
+   }
+
    if (ipv6_addr_any(&fl->fl6_src)) {
        err = ipv6_dev_get_saddr(net, ip6_dst_idev(*dst)->dev,
                     &fl->fl6_dst,