| Message ID | 20240410010917.90115-1-mail@david-bauer.net (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] vxlan: drop packets from invalid src-address | expand |
On Wed, Apr 10, 2024 at 03:09:17AM +0200, David Bauer wrote: > The VXLAN driver currently does not check if the inner layer2 > source-address is valid. > > In case source-address snooping/learning is enabled, a entry in the FDB > for the invalid address is created with the layer3 address of the tunnel > endpoint. > > If the frame happens to have a non-unicast address set, all this > non-unicast traffic is subsequently not flooded to the tunnel network > but sent to the learnt host in the FDB. To make matters worse, this FDB > entry does not expire. > > Apply the same filtering for packets as it is done for bridges. This not > only drops these invalid packets but avoids them from being learnt into > the FDB. > > Fixes: d342894c5d2f ("vxlan: virtual extensible lan") > > Suggested-by: Ido Schimmel <idosch@nvidia.com> > Signed-off-by: David Bauer <mail@david-bauer.net> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Code looks fine, but there shouldn't be a blank line between the Fixes tag and the other tags. Please wait 24h before reposting unless one of the maintainers says otherwise: https://docs.kernel.org/process/maintainer-netdev.html Thanks
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c index 3495591a5c29..ba319fc21957 100644 --- a/drivers/net/vxlan/vxlan_core.c +++ b/drivers/net/vxlan/vxlan_core.c @@ -1615,6 +1615,10 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan, if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) return false; + /* Ignore packets from invalid src-address */ + if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) + return false; + /* Get address from the outer IP header */ if (vxlan_get_sk_family(vs) == AF_INET) { saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
The VXLAN driver currently does not check if the inner layer2 source-address is valid. In case source-address snooping/learning is enabled, a entry in the FDB for the invalid address is created with the layer3 address of the tunnel endpoint. If the frame happens to have a non-unicast address set, all this non-unicast traffic is subsequently not flooded to the tunnel network but sent to the learnt host in the FDB. To make matters worse, this FDB entry does not expire. Apply the same filtering for packets as it is done for bridges. This not only drops these invalid packets but avoids them from being learnt into the FDB. Fixes: d342894c5d2f ("vxlan: virtual extensible lan") Suggested-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: David Bauer <mail@david-bauer.net> --- drivers/net/vxlan/vxlan_core.c | 4 ++++ 1 file changed, 4 insertions(+)