Page MenuHomeFreeBSD
Differential D50455

carp: fix mbuf_tag usage in carp_macmatch6
ClosedPublic
Actions

Authored by ae on Wed, May 21, 9:47 AM.
Tags
None
Referenced Files
F117891393: D50455.diff
Sat, May 24, 8:23 AM
Unknown Object (File)
Wed, May 21, 1:00 PM
Subscribers
glebius
imp
melifaro

Details

Reviewers
glebius
zlei
kp
Group Reviewers
network
Commits
rG6a97fbe6fcb3: carp: fix mbuf_tag usage in carp_macmatch6
Summary

carp_macmatch6() had two issues that affect IPv6 processing:

  1. it returns sc->sc_addr pointer that might become invalid after softc destroying.
  2. carp_output() expects carp vhid to be stored in the mtag, not the pointer to softc.

Fix these issues. Allocate enough space in mtag to keep both vhid and
mac address. Copy vhid first to fix issue with carp_output(), then
copy sc_addr and return pointer to this copy. mtag will be alive
until mbuf is used.
This fixes problem when IPv6 packets originated from CARP IPv6 address
use incorrect mac address due to mbuf_tag has invalid data.

Test Plan

Before patch:

12:51:23.971006 00:00:5e:00:01:00 > 84:46:fe:e9:3a:fb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::1 > fe80::8646:feff:fee9:3afb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::8646:feff:fee9:3afb
	  source link-address option (1), length 8 (1): 00:00:5e:00:01:09
12:51:23.979630 84:46:fe:e9:3a:fb > 00:00:5e:00:01:09, ethertype IPv6 (0x86dd), length 86: (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::8646:feff:fee9:3afb > fe80::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::8646:feff:fee9:3afb, Flags [router, solicited, override]
	  destination link-address option (2), length 8 (1): 84:46:fe:e9:3a:fb

ICMPv6 NS there uses 00:00:5e:00:01:00 mac that is incorrect, since it has zeor vhid. In this example ICMPv6 NA was replied to correct mac address, but some systems use to reply mac address with zero vhid that was used as source in NS request and then such replies are ignored, because carp_forus() can not find corresponding address:

22:05:44.474698 00:00:5e:00:01:00 > ae:f2:39:45:ca:b7, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::1 > fe80::18b2:bf65:4abf:869
3: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::18b2:bf65:4abf:8693
          source link-address option (1), length 8 (1): 00:00:5e:00:01:2f
22:05:44.474937 ae:f2:39:45:ca:b7 > 00:00:5e:00:01:00, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::18b2:bf65:4abf:8693 > fe80::
1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::18b2:bf65:4abf:8693, Flags [solicited]
          destination link-address option (2), length 8 (1): ae:f2:39:45:ca:b7

In this case system ignores received ICMPv6 NA and can not resolve IPv6<->MAC pairs.

After patch:

11:43:41.905788 00:00:5e:00:01:09 > 84:46:fe:e9:3a:fb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::1 > fe80::8646:feff:fee9:3afb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::8646:feff:fee9:3afb
	  source link-address option (1), length 8 (1): 00:00:5e:00:01:09
11:43:41.915472 84:46:fe:e9:3a:fb > 00:00:5e:00:01:09, ethertype IPv6 (0x86dd), length 86: (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::8646:feff:fee9:3afb > fe80::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::8646:feff:fee9:3afb, Flags [router, solicited, override]
	  destination link-address option (2), length 8 (1): 84:46:fe:e9:3a:fb

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ae created this revision.Wed, May 21, 9:47 AM
ae held this revision as a draft.
Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptWed, May 21, 9:47 AM
Harbormaster completed remote builds in B64342: Diff 155813.Wed, May 21, 9:47 AM
ae published this revision for review.Wed, May 21, 10:05 AM
ae edited the test plan for this revision. (Show Details)
ae added reviewers: network, glebius, zlei, kp.
zlei accepted this revision as: zlei.Wed, May 21, 2:00 PM

Looks good to me.

sys/netinet/ip_carp.c
1707

The new allocated mtag shall not overlap with any members of sc, so memcpy() is safe to use here, instead of bcopy().

1713

Ditto.

This revision is now accepted and ready to land.Wed, May 21, 2:00 PM
kp accepted this revision as: kp.Fri, May 23, 3:24 PM

It'd be really nice having a test case for this too.

sys/netinet/ip_carp.c
1700–1713

Would it be worth defining a 'struct carp_mtag' for this?
Although that's more of a separate cleanup commit thing than something that has to be done at the same time as this.

glebius accepted this revision as: glebius.Fri, May 23, 3:35 PM
Closed by commit rG6a97fbe6fcb3: carp: fix mbuf_tag usage in carp_macmatch6 (authored by ae). · Explain WhySat, May 24, 8:24 AM
This revision was automatically updated to reflect the committed changes.
ae added a commit: rG6a97fbe6fcb3: carp: fix mbuf_tag usage in carp_macmatch6.

Revision Contents
Changeset List

PathSize
sys/
netinet/
27 lines

Diff 155969

View Options

sys/netinet/ip_carp.c

Loading...