On 19/02/16 01:19, Steffen Klassert wrote: > On Thu, Feb 18, 2016 at 01:40:00AM +0000, Mark McKinstry wrote: >> This patch fixes our issue, thanks. In our scenario the tunnel path MTU >> now gets updated so that subsequent large packets sent over the tunnel >> get fragmented correctly. > I've applied this patch to the ipsec tree now. > Thanks for testing! I spoke too soon. Upon further testing with this patch we have found it causes a skt buffer leak. This is problematic for us and can cause memory exhaustion in one of our test scenarios that has an IPv4 IPsec tunnel over a PPP link. Also the patch's -EMSGSIZE return value appears to be invalid because vti_xmit() should be returning a type netdev_tx_t (NETDEV_TX_OK etc). It looks to me that this patch should really be doing a goto tx_error rather than doing an early return with -EMSGSIZE. This would result in the skt buffer being freed, NETDEV_TX_OK being returned (thus indicating vti_xmit() "took care of packet"), and the tx_errors counter being incremented (which seems like a reasonable thing to do). I think the original IPv6 patch probably has the same issues, and could be causing a DOS attack vulnerability in recent Linux releases. If this patch's code gets hit for every received packet then the box's memory will soon be exhausted - e.g. a rogue device sends a stream of largish pkts through a box with a vti interface, and ignores every ICMPV6_PKT_TOOBIG pkt sent back to it. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
