On 22.12.2015 17:59, Huw Davies wrote:
> On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote:
>> On 22.12.2015 12:46, Huw Davies wrote:
>>>
>>> +/* CALIPSO RFC 5570 */
>>> +
>>> +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
>>> +{
>>> + const unsigned char *nh = skb_network_header(skb);
>>> +
>>> + if (nh[optoff + 1] < 8)
>>> + goto drop;
>>> +
>>> + if (nh[optoff + 6] * 4 + 8 > nh[optoff + 1])
>>> + goto drop;
>>> +
>>> + if (!calipso_validate(skb, nh + optoff))
>>> + goto drop;
>>> +
>>> + return true;
>>> +
>>> +drop:
>>> + kfree_skb(skb);
>>> + return false;
>>> +}
>>> +
>>
>> Formally, if an extension header could not be processed, the packet
>> should be discarded and an icmp error parameter extension should be
>> send. I think we shouldn't let those packets pass here.
>
> Thanks for your comments Hannes, I'm looking into your other
> suggestions.
>
> I'm confused about this one. AFAICS, this will drop packets that we
> can't process. We don't send the icmp error, but I can certainly add
> that. Is that what you mean?
Actually, the implementation of calipso_validate will accept the packets
because it defaults to return true if we don't compile the module. At
least we should drop the packet if it is not loaded. I am in favor of
adding the parameter problem icmp error. So, yes, I think it should be
added.
Bye,
Hannes
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
