HIPL

Merge lp:~christof-mroz/hipl/midauth-nfqueue-fix into lp:hipl

  1. midauth-nfqueue-fix
  2. Merge into trunk
Proposed by Christof Mroz
Status: Merged
Merged at revision: 6464
Proposed branch: lp:~christof-mroz/hipl/midauth-nfqueue-fix
Merge into: lp:hipl
Diff against target: 111 lines (+35/-29)
1 file modified
hipfw/rewrite.c (+35/-29)
To merge this branch: bzr merge lp:~christof-mroz/hipl/midauth-nfqueue-fix
Reviewer Review Type Date Requested Status
Miika Komu Approve
Review via email: mp+288588@code.launchpad.net

Description of the change

This is a fix for Bug #1554072, based on an earlier fix which seemed to work. Keeping this as a separate branch since I didn't have a chance to test it yet.

To post a comment you must log in.
Revision history for this message
Miika Komu (miika-iki) wrote :

Tested, works (see the log snippet below)! Please merge and commit.

debug(hipfw/hipfw.c:1060@filter_hip): falling back to default HIP/ESP behavior, target 1
debug(hipfw/conntrack.c:2059@get_tuple_by_hits): connection found,
debug(hipfw/conntrack.c:1736@check_packet): check packet: type 3
debug(hipfw/midauth.c:345@hipfw_midauth_verify_challenge): Correct CHALLENGE_RESPONSE found
info(hipfw/conntrack.c:1065@fw_verify_and_store_host_id): HI -> HIT mapping verified
info(hipfw/conntrack.c:1030@fw_verify_packet): Signature successfully verified
debug(hipfw/conntrack.c:310@get_esp_address): Looking for entry with addr: : 172.17.0.2
debug(hipfw/conntrack.c:328@get_esp_address): no matching entry found
debug(hipfw/conntrack.c:508@update_esp_address): address: ::ffff:172.17.0.2
debug(hipfw/dlist.c:137@append_to_list): List is empty inserting first node
debug(hipfw/conntrack.c:1791@check_packet): udp_encap_hdr=0x6adb94 tuple=0x25c4c90 err=1
debug(hipfw/conntrack.c:1797@check_packet): UDP src port 10500
debug(hipfw/conntrack.c:1798@check_packet): UDP dst port 10500
debug(hipfw/hipfw.c:1656@fw_handle_packet): === Verdict: allow modified packet ===
debug(hipfw/rewrite.c:383@allow_modified_packet): Packet accepted with modifications

review: Approve
Revision history for this message
Miika Komu (miika-iki) wrote :

Merged. Thanks again for the fix!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'hipfw/rewrite.c'
2--- hipfw/rewrite.c 2016-03-09 14:40:26 +0000
3+++ hipfw/rewrite.c 2016-03-09 23:08:08 +0000
4@@ -1,5 +1,5 @@
5 /*
6- * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University.
7+ * Copyright (c) 2011, 2013, 2016 Aalto University and RWTH Aachen University.
8 *
9 * Permission is hereby granted, free of charge, to any person
10 * obtaining a copy of this software and associated documentation
11@@ -69,16 +69,15 @@
12 #include "libcore/debug.h"
13 #include "rewrite.h"
14
15-// static configuration
16-// note: see bug report lp:1554072 (setting this to false does not work)
17-static const bool assume_ipq_buffer_sufficient = true;
18-
19-struct scratch_buffer {
20- hip_ipq_packet_msg ipq;
21- uint8_t *payload[HIP_MAX_PACKET];
22-} __attribute__((packed)); // no gaps between header and payload
23-
24-static struct scratch_buffer scratch_buffer;
25+/**
26+ * Don't copy into a temporary buffer if true. May improve performance a bit,
27+ * but is not considered safe yet, as explained in this file's top-level
28+ * documentation.
29+ * May be useful for debugging or benchmarking the effect of copying, however.
30+ */
31+static const bool assume_ipq_buffer_sufficient = false;
32+
33+static uint8_t scratch_buffer[HIP_MAX_PACKET];
34
35 /**
36 * Given the address @a field of a struct member of @a old, return
37@@ -146,25 +145,33 @@
38 return;
39 }
40
41- if (ctx->ipq_packet != &scratch_buffer.ipq) {
42- // simply rebase the old pointers
43+ if (ctx->ipq_packet->payload != scratch_buffer) {
44+ // copy packet data
45+ memcpy(scratch_buffer, ctx->ipq_packet->payload,
46+ ctx->ipq_packet->data_len);
47+
48+ // rebase pointers in ctx to point into copy
49 if (ctx->ip_version == 4) {
50- ctx->ip_hdr.ipv4 = rebase(ctx->ip_hdr.ipv4, ctx->ipq_packet,
51- &scratch_buffer.ipq);
52+ ctx->ip_hdr.ipv4 = rebase(ctx->ip_hdr.ipv4,
53+ ctx->ipq_packet->payload,
54+ scratch_buffer);
55 } else {
56 HIP_ASSERT(ctx->ip_version == 6);
57- ctx->ip_hdr.ipv6 = rebase(ctx->ip_hdr.ipv6, ctx->ipq_packet,
58- &scratch_buffer.ipq);
59+ ctx->ip_hdr.ipv6 = rebase(ctx->ip_hdr.ipv6,
60+ ctx->ipq_packet->payload,
61+ scratch_buffer);
62 }
63
64 switch (ctx->packet_type) {
65 case ESP_PACKET:
66- ctx->transport_hdr.esp = rebase(ctx->transport_hdr.esp, ctx->ipq_packet,
67- &scratch_buffer.ipq);
68+ ctx->transport_hdr.esp = rebase(ctx->transport_hdr.esp,
69+ ctx->ipq_packet->payload,
70+ scratch_buffer);
71 break;
72 case HIP_PACKET:
73- ctx->transport_hdr.hip = rebase(ctx->transport_hdr.hip, ctx->ipq_packet,
74- &scratch_buffer.ipq);
75+ ctx->transport_hdr.hip = rebase(ctx->transport_hdr.hip,
76+ ctx->ipq_packet->payload,
77+ scratch_buffer);
78 break;
79 case OTHER_PACKET:
80 break;
81@@ -173,15 +180,14 @@
82 }
83
84 if (ctx->udp_encap_hdr) {
85- ctx->udp_encap_hdr = rebase(ctx->udp_encap_hdr, ctx->ipq_packet,
86- &scratch_buffer.ipq);
87+ ctx->udp_encap_hdr = rebase(ctx->udp_encap_hdr,
88+ ctx->ipq_packet->payload,
89+ scratch_buffer);
90 }
91
92- // copy ipq packet plus payload
93- memcpy(&scratch_buffer.ipq, ctx->ipq_packet,
94- sizeof(*ctx->ipq_packet) + ctx->ipq_packet->data_len);
95- ctx->ipq_packet = &scratch_buffer.ipq;
96- ctx->modified = 1;
97+ // set payload pointer to copy
98+ ctx->ipq_packet->payload = scratch_buffer;
99+ ctx->modified = 1;
100 } else {
101 // second invocation
102 HIP_ASSERT(ctx->modified);
103@@ -212,7 +218,7 @@
104 // RFC 5201: Types 0 - 1023 are signed, so they must not be moved
105 HIP_ASSERT(param_type >= 1024);
106
107- if (ctx->ipq_packet->data_len + param_len > sizeof(scratch_buffer.payload)) {
108+ if (ctx->ipq_packet->data_len + param_len > HIP_MAX_PACKET) {
109 HIP_ERROR("New parameter of type %u, effective size %u, "
110 "does not fit into packet", param_type, param_len);
111 return false;

Subscribers

People subscribed via source and target branches

to all changes: