[PATCH] NETWORKING: avoid use IPCB in cipso_v4_error

Nazarov Sergey s-nazarov at yandex.ru
Fri Feb 22 16:35:29 UTC 2019

I tried to analyze the cases of using icmp_send in kernel. It indirectly used by many protocols:
ARP, IP, UDP, Netfilter, IPVS, IPIP, GRE over IP, CLIP, XFRM, CIPSOv4.
Different IP tunnels and XFRM operating directly over IP layer and if using own skb->cb data,
having IP header data in front of it. CLIP uses icmp_send for packets from arp queue only.
So, If I right, only TCP layer moves IP header data and only CIPSOv4 operates on both IP and
TCP layers now. 

19.02.2019, 04:25, "David Miller" <davem at davemloft.net>:
> From: Nazarov Sergey <s-nazarov at yandex.ru>
> Date: Mon, 18 Feb 2019 16:39:11 +0300
>>  I think, it would not be a good solution, if I will analyze all
>>  subsystems using icmp_send, because I do not have enough knowledge
>>  for this. I propose to add a new function, for example,
>>  ismp_send_safe, something like that:
> Please don't do this.
> Solve the problem properly by auditing each case, there aren't a lot and
> it is not too difficult to see the upcall sites.

More information about the Linux-security-module-archive mailing list