• Nicolas Dichtel's avatar
    af_packet: fix raw sockets over 6in4 tunnel · 88a8121d
    Nicolas Dichtel authored
    Since commit cb9f1b78, scapy (which uses an AF_PACKET socket in
    SOCK_RAW mode) is unable to send a basic icmp packet over a sit tunnel:
    
    Here is a example of the setup:
    $ ip link set ntfp2 up
    $ ip addr add 10.125.0.1/24 dev ntfp2
    $ ip tunnel add tun1 mode sit ttl 64 local 10.125.0.1 remote 10.125.0.2 dev ntfp2
    $ ip addr add fd00:cafe:cafe::1/128 dev tun1
    $ ip link set dev tun1 up
    $ ip route add fd00:200::/64 dev tun1
    $ scapy
    >>> p = []
    >>> p += IPv6(src='fd00:100::1', dst='fd00:200::1')/ICMPv6EchoRequest()
    >>> send(p, count=1, inter=0.1)
    >>> quit()
    $ ip -s link ls dev tun1 | grep -A1 "TX.*errors"
        TX: bytes  packets  errors  dropped carrier collsns
        0          0        1       0       0       0
    
    The problem is that the network offset is set to the hard_header_len of the
    output device (tun1, ie 14 + 20) and in our case, because the packet is
    small (48 bytes) the pskb_inet_may_pull() fails (it tries to pull 40 bytes
    (ipv6 header) starting from the network offset).
    
    This problem is more generally related to device with variable hard header
    length. To avoid a too intrusive patch in the current release, a (ugly)
    workaround is proposed in this patch. It has to be cleaned up in net-next.
    
    Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=993675a3100b1
    Link: http://patchwork.ozlabs.org/patch/1024489/
    Fixes: cb9f1b78 ("ip: validate header length on virtual device xmit")
    CC: Willem de Bruijn <willemb@google.com>
    CC: Maxim Mikityanskiy <maximmi@mellanox.com>
    Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
    Acked-by: default avatarWillem de Bruijn <willemb@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    88a8121d
af_packet.c 107 KB