Patch "vxlan: drop packets from invalid src-address" has been added to the 4.19-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    vxlan: drop packets from invalid src-address

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vxlan-drop-packets-from-invalid-src-address.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 34a9fc43cfd9fbd71bf8e298ad3b51178cb9b81b
Author: David Bauer <mail@xxxxxxxxxxxxxxx>
Date:   Thu Apr 18 15:29:08 2024 +0200

    vxlan: drop packets from invalid src-address
    
    [ Upstream commit f58f45c1e5b92975e91754f5407250085a6ae7cf ]
    
    The VXLAN driver currently does not check if the inner layer2
    source-address is valid.
    
    In case source-address snooping/learning is enabled, a entry in the FDB
    for the invalid address is created with the layer3 address of the tunnel
    endpoint.
    
    If the frame happens to have a non-unicast address set, all this
    non-unicast traffic is subsequently not flooded to the tunnel network
    but sent to the learnt host in the FDB. To make matters worse, this FDB
    entry does not expire.
    
    Apply the same filtering for packets as it is done for bridges. This not
    only drops these invalid packets but avoids them from being learnt into
    the FDB.
    
    Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
    Suggested-by: Ido Schimmel <idosch@xxxxxxxxxx>
    Signed-off-by: David Bauer <mail@xxxxxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index d5c8d0d54b33d..b004c8b6ec28e 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1320,6 +1320,10 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan,
 	if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr))
 		return false;
 
+	/* Ignore packets from invalid src-address */
+	if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
+		return false;
+
 	/* Get address from the outer IP header */
 	if (vxlan_get_sk_family(vs) == AF_INET) {
 		saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux