From owner-freebsd-net@FreeBSD.ORG Thu Oct 2 07:32:38 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 74C28F8C for ; Thu, 2 Oct 2014 07:32:38 +0000 (UTC) Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail-n.franken.de", Issuer "Thawte DV SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 360F33E8 for ; Thu, 2 Oct 2014 07:32:38 +0000 (UTC) Received: from [10.225.7.42] (unknown [194.95.73.101]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id F024D1C0E9725; Thu, 2 Oct 2014 09:32:35 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: UDP/IPv6 handling From: Michael Tuexen In-Reply-To: Date: Thu, 2 Oct 2014 09:32:34 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <6AF1921D-BAFB-4969-80EF-C1CE37446D65@lurchi.franken.de> References: To: Bryan Venteicher X-Mailer: Apple Mail (2.1878.6) Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 07:32:38 -0000 On 02 Oct 2014, at 05:51, Bryan Venteicher = wrote: >=20 >=20 > On Wed, Oct 1, 2014 at 11:58 AM, Michael Tuexen = wrote: > Dear all, >=20 > in udp6_input() we have the following code: >=20 > if (nxt =3D=3D IPPROTO_UDP && plen !=3D ulen) { > UDPSTAT_INC(udps_badlen); > goto badunlocked; > } > /* > * Checksum extended UDP header and data. > */ > if (uh->uh_sum =3D=3D 0) { > if (ulen > plen || ulen < sizeof(struct udphdr)) { > UDPSTAT_INC(udps_nosum); > goto badunlocked; > } > } >=20 > I'm trying to understand the UDP code path... >=20 >=20 > =E2=80=8BI too was recently confused by this code. =E2=80=8BI pointed = out one issue to kevlo@ recently, but it still kind of seemed like the = UDP-Lite was mismerged to IPv6. I have a patch (to be committed soon which fixes UDPLite/IPv6). >=20 > So (ulen > plen) can't be true. I'm wondering why do we only check the = ulen is not too > short only in the case when the UDP checksum is zero. A zero checksum = should also never happen. Yepp. >=20 >=20 > =E2=80=8BI hope to have a patch for =E2=80=8BRFC6935 [1] soon so a = zero checksum may be allowed if the inp/udpcb is configured for it. Great. However, we need to check that ulen is at least sizeof(struct = udphdr) in any case. >=20 >=20 > I think we should check for ulen < sizeof(struct udphdr) in any case. >=20 >=20 > =E2=80=8BI think previously, the checks in ip6_input(), = IP6_EXTHDR_CHECK(), and plen =3D=3D ulen made this unnecessary. I think = we'd want to do it for UDP-Lite if ulen was not initially zero. But IP6_EXTHDR_CHECK doesn't check any fields in the packet. So it can = happen that plen =3D=3D ulen and ulen < sizeof(struct udphdr)... Best regards Michael > =E2=80=8B[1] - http://tools.ietf.org/html/rfc6935=E2=80=8B > =20 > Opinions? >=20 > Best regards > Michael > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >=20