Hi Jamie, 2017-04-21, 13:58:44 +1000, Jamie Bainbridge wrote: > IPv6 assumes there is data after the network header and blindly delivers > skbs to raw sockets without checking the presence of data. > > With an application in a common loop where it checks select/poll/epoll > then ioctl(SIOCINQ/FIONREAD) is positive before continuing to > recvfrom(), this behaviour can cause the application to loop forever > on ioctl() because there is a zero-length skb to receive. > > With this, it is very easy to make a Denial of Service attack by > crafting a packet which declares a Next Header in the IPv6 header but > does not actually supply a transport header and/or payload. > > skb->len is already correctly set in ip6_input_finish() with pskb_pull() > so check this length before delivering zero data to raw sockets.
Isn't that changing behavior? recv() currently returns 0 when a packet that stops right after the IP header arrives. After this, the userspace program won't receive anything in this case? -- Sabrina
