[ovs-dev] [PATCH] tunneling: Don't send ICMP messages if no tunnel port is found.

Jesse Gross jesse at nicira.com
Sat Feb 2 00:58:07 UTC 2013


Some tunnel code in OVS (for example, CAPWAP) uses the skb->cb to
store information while processing packets.  However, if we don't
find an appropriate tunnel port on receive, then we send an ICMP
port unreachable message, which calls back into the IP stack.  The
stack assumes that skb->cb will still contain valid information
about from the IP layer, including any IP options.  As a result,
icmp_echo_options() can read the garbage values from STT and
overwrite data on the stack, panicing the machine.

This simply stops sending ICMP messages when ports are not found.
Many people find them confusing and flow based tunneling will
never send them (since it always finds a port) so it solves both
problems at once.

Bug #14880

Reported-by: Deepesh Govindan <dgovindan at nicira.com>
Signed-off-by: Jesse Gross <jesse at nicira.com>
---
 datapath/vport-capwap.c |    4 +---
 datapath/vport-gre.c    |    4 +---
 datapath/vport-vxlan.c  |    4 +---
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/datapath/vport-capwap.c b/datapath/vport-capwap.c
index 56e6394..1230682 100644
--- a/datapath/vport-capwap.c
+++ b/datapath/vport-capwap.c
@@ -331,10 +331,8 @@ static int capwap_rcv(struct sock *sk, struct sk_buff *skb)
 	iph = ip_hdr(skb);
 	vport = ovs_tnl_find_port(sock_net(sk), iph->daddr, iph->saddr, key,
 				  TNL_T_PROTO_CAPWAP, &mutable);
-	if (unlikely(!vport)) {
-		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+	if (unlikely(!vport))
 		goto error;
-	}
 
 	if (key_present && mutable->key.daddr &&
 			 !(mutable->flags & TNL_F_IN_KEY_MATCH)) {
diff --git a/datapath/vport-gre.c b/datapath/vport-gre.c
index 14c5ba3..680e7b3 100644
--- a/datapath/vport-gre.c
+++ b/datapath/vport-gre.c
@@ -274,10 +274,8 @@ static int gre_rcv(struct sk_buff *skb)
 	iph = ip_hdr(skb);
 	vport = ovs_tnl_find_port(dev_net(skb->dev), iph->daddr, iph->saddr, key,
 				  tunnel_type, &mutable);
-	if (unlikely(!vport)) {
-		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+	if (unlikely(!vport))
 		goto error;
-	}
 
 	tnl_flags = gre_flags_to_tunnel_flags(mutable, gre_flags, &key);
 	tnl_tun_key_init(&tun_key, iph, key, tnl_flags);
diff --git a/datapath/vport-vxlan.c b/datapath/vport-vxlan.c
index 4f9f339..413452e 100644
--- a/datapath/vport-vxlan.c
+++ b/datapath/vport-vxlan.c
@@ -166,10 +166,8 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
 	iph = ip_hdr(skb);
 	vport = ovs_tnl_find_port(dev_net(skb->dev), iph->daddr, iph->saddr,
 		key, TNL_T_PROTO_VXLAN, &mutable);
-	if (unlikely(!vport)) {
-		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+	if (unlikely(!vport))
 		goto error;
-	}
 
 	if (mutable->flags & TNL_F_IN_KEY_MATCH || !mutable->key.daddr)
 		tunnel_flags = OVS_TNL_F_KEY;
-- 
1.7.9.5




More information about the dev mailing list