Hi,
On 18/09/2022 12:12, Gert Doering wrote:
Hi,
On Sat, Sep 17, 2022 at 11:31:54PM +0200, Antonio Quartulli wrote:
This patch brings the following improvements:
* check that ETH proto and version in IP header are consistent;
* check that length of the packet is enough to store the expected IP
header (it may be an IPv4 or an IPv6 header)
Since this is in the fast path - what is the motivation behind adding
all these extra checks?
These extra checks are meant to avoid bogus packets to sneak in (i.e. a
ETH packet saying IPv4, but then having an IPv6 header on top).
Additionally we accept IPv6 packets without really checking if the
packet has enough room for an entire IPv6 header.
This said, I did not consider that this function is along the fast path,
therefore I'll check if we can reduce the number of jumps.
In the worst case I will only address the second point of the list above
(as we may later access an IPv6 header that is not fully allocated).
Cheers,
gert
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
