On Thu, Oct 08, 2020 at 11:47:00AM +0200, Eric Dumazet wrote:
>
>
> On 10/8/20 10:30 AM, Hangbin Liu wrote:
> >>> @@ -282,6 +285,21 @@ static struct sk_buff *ip6_rcv_core(struct sk_buff
> >>> *skb, struct net_device *dev,
> >>> }
> >>> }
> >>>
> >>> + /* RFC 8200, Section 4.5 Fragment Header:
> >>> + * If the first fragment does not include all headers through an
> >>> + * Upper-Layer header, then that fragment should be discarded and
> >>> + * an ICMP Parameter Problem, Code 3, message should be sent to
> >>> + * the source of the fragment, with the Pointer field set to zero.
> >>> + */
> >>> + nexthdr = hdr->nexthdr;
> >>> + offset = ipv6_skip_exthdr(skb, skb_transport_offset(skb), &nexthdr,
> >>> &frag_off);
> >>> + if (frag_off == htons(IP6_MF) && !pskb_may_pull(skb, offset + 1)) {
> >>> + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
> >>> + icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0);
> >>> + rcu_read_unlock();
> >>> + return NULL;
> >>> + }
> >>> +
> >>> rcu_read_unlock();
> >>>
> >>> /* Must drop socket now because of tproxy. */
> >>>
> >>
> >> Ouch, this is quite a buggy patch.
> >>
> >> I doubt we want to add yet another ipv6_skip_exthdr() call in IPv6 fast
> >> path.
> >>
> >> Surely the presence of NEXTHDR_FRAGMENT is already tested elsewhere ?
> >
> > Would you like to help point where NEXTHDR_FRAGMENT was tested before IPv6
> > defragment?
> I think we have to ask the question : Should routers enforce the rule, or
> only end points ?
>From IPv6 Core Conformance test[1], it applied to both router and host(It will
marked specifically if a test only for router).
>
> End points must handle NEXTHDR_FRAGMENT, in ipv6_frag_rcv()
Yes, I was also try put the check there, but it looks that would be too late
if module nf_defrag_ipv6 loaded
> >> Also ipv6_skip_exthdr() can return an error.
> >
> > it returns -1 as error, If we tested it by (offset + 1 > skb->len), does
> > that count as an error handler?
>
> If there is an error, then you want to send the ICMP, right ?
No, this is only for fragment header with no enough Upper-Layer header, which
need
send ICMP Parameter Problem, Code 3 specifically. For other errors, I guess
the other code will take care of it.
So for -1 return, I just skipped it.
>
> The (offset + 1) expression will become 0, and surely the test will be false,
> so you wont send the ICMP...
[1] v6LC.1.3.6: First Fragment Doesn’t Contain All Headers part A, B,
C and D at https://ipv6ready.org/docs/Core_Conformance_5_0_0.pdf
Thanks
Hangbin
