diff mbox series

[net-next] ipv4: Reject again rules with high DSCP values

Message ID cca72292694a74c76a6e155b34a8480df2918a14.1644495285.git.gnault@redhat.com (mailing list archive)
State Accepted
Commit dc513a405cade3e47bcda8de27c7a7bf6eeddd18
Delegated to: Netdev Maintainers
Headers show
Series [net-next] ipv4: Reject again rules with high DSCP values | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 7 this patch: 7
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Guillaume Nault Feb. 10, 2022, 12:24 p.m. UTC 
Commit 563f8e97e054 ("ipv4: Stop taking ECN bits into account in
fib4-rules") replaced the validation test on frh->tos. While the new
test is stricter for ECN bits, it doesn't detect the use of high order
DSCP bits. This would be fine if IPv4 could properly handle them. But
currently, most IPv4 lookups are done with the three high DSCP bits
masked. Therefore, using these bits doesn't lead to the expected
result.

Let's reject such configurations again, so that nobody starts to
use and make any assumption about how the stack handles the three high
order DSCP bits in fib4 rules.

Fixes: 563f8e97e054 ("ipv4: Stop taking ECN bits into account in fib4-rules")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 net/ipv4/fib_rules.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org Feb. 10, 2022, 3:40 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net-next.git (master)
by David S. Miller <davem@davemloft.net>:

On Thu, 10 Feb 2022 13:24:51 +0100 you wrote:
> Commit 563f8e97e054 ("ipv4: Stop taking ECN bits into account in
> fib4-rules") replaced the validation test on frh->tos. While the new
> test is stricter for ECN bits, it doesn't detect the use of high order
> DSCP bits. This would be fine if IPv4 could properly handle them. But
> currently, most IPv4 lookups are done with the three high DSCP bits
> masked. Therefore, using these bits doesn't lead to the expected
> result.
> 
> [...]

Here is the summary with links:
  - [net-next] ipv4: Reject again rules with high DSCP values
    https://git.kernel.org/netdev/net-next/c/dc513a405cad

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 117c48571cf0..001fea394bde 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -231,6 +231,11 @@  static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
 			       "Invalid dsfield (tos): ECN bits must be 0");
 		goto errout;
 	}
+	/* IPv4 currently doesn't handle high order DSCP bits correctly */
+	if (frh->tos & ~IPTOS_TOS_MASK) {
+		NL_SET_ERR_MSG(extack, "Invalid tos");
+		goto errout;
+	}
 	rule4->dscp = inet_dsfield_to_dscp(frh->tos);
 
 	/* split local/main if they are not already split */