| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Mar 2017 11:16:19 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: Xin Long <lucien.xin@...il.com>
Cc: network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org,
Neil Horman <nhorman@...driver.com>,
Vlad Yasevich <vyasevich@...il.com>,
davem <davem@...emloft.net>
Subject: Re: [PATCHv2 net-next 2/7] sctp: implement receiver-side procedures
for the SSN/TSN Reset Request Parameter
On Mon, Mar 27, 2017 at 12:48:31PM +0800, Xin Long wrote:
> On Sat, Mar 25, 2017 at 7:52 AM, Marcelo Ricardo Leitner
> <marcelo.leitner@...il.com> wrote:
> > On Tue, Mar 21, 2017 at 01:44:32PM +0800, Xin Long wrote:
> >> On Tue, Mar 21, 2017 at 2:04 AM, Marcelo Ricardo Leitner
> >> <marcelo.leitner@...il.com> wrote:
> >> > On Fri, Mar 10, 2017 at 12:11:07PM +0800, Xin Long wrote:
> >> >> This patch is to implement Receiver-Side Procedures for the SSN/TSN
> >> >> Reset Request Parameter described in rfc6525 section 6.2.4.
> >> >>
> >> >> The process is kind of complicate, it's wonth having some comments
> >> >> from section 6.2.4 in the codes.
> >> >>
> >> >> Signed-off-by: Xin Long <lucien.xin@...il.com>
> >> >> ---
> >> >> include/net/sctp/sm.h | 4 +++
> >> >> net/sctp/sm_statefuns.c | 3 ++
> >> >> net/sctp/stream.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++
> >> >> 3 files changed, 86 insertions(+)
> >> >>
> >> >> diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
> >> >> index b6f682e..2629d66 100644
> >> >> --- a/include/net/sctp/sm.h
> >> >> +++ b/include/net/sctp/sm.h
> >> >> @@ -293,6 +293,10 @@ struct sctp_chunk *sctp_process_strreset_inreq(
> >> >> struct sctp_association *asoc,
> >> >> union sctp_params param,
> >> >> struct sctp_ulpevent **evp);
> >> >> +struct sctp_chunk *sctp_process_strreset_tsnreq(
> >> >> + struct sctp_association *asoc,
> >> >> + union sctp_params param,
> >> >> + struct sctp_ulpevent **evp);
> >> >>
> >> >> /* Prototypes for statetable processing. */
> >> >>
> >> >> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> >> >> index e03bb1a..6982064 100644
> >> >> --- a/net/sctp/sm_statefuns.c
> >> >> +++ b/net/sctp/sm_statefuns.c
> >> >> @@ -3872,6 +3872,9 @@ sctp_disposition_t sctp_sf_do_reconf(struct net *net,
> >> >> else if (param.p->type == SCTP_PARAM_RESET_IN_REQUEST)
> >> >> reply = sctp_process_strreset_inreq(
> >> >> (struct sctp_association *)asoc, param, &ev);
> >> >> + else if (param.p->type == SCTP_PARAM_RESET_TSN_REQUEST)
> >> >> + reply = sctp_process_strreset_tsnreq(
> >> >> + (struct sctp_association *)asoc, param, &ev);
> >> >> /* More handles for other types will be added here, by now it
> >> >> * just ignores other types.
> >> >> */
> >> >> diff --git a/net/sctp/stream.c b/net/sctp/stream.c
> >> >> index 1c6cc04..7e993b0 100644
> >> >> --- a/net/sctp/stream.c
> >> >> +++ b/net/sctp/stream.c
> >> >> @@ -477,3 +477,82 @@ struct sctp_chunk *sctp_process_strreset_inreq(
> >> >>
> >> >> return chunk;
> >> >> }
> >> >> +
> >> >> +struct sctp_chunk *sctp_process_strreset_tsnreq(
> >> >> + struct sctp_association *asoc,
> >> >> + union sctp_params param,
> >> >> + struct sctp_ulpevent **evp)
> >> >> +{
> >> >> + __u32 init_tsn = 0, next_tsn = 0, max_tsn_seen;
> >> >> + struct sctp_strreset_tsnreq *tsnreq = param.v;
> >> >> + struct sctp_stream *stream = asoc->stream;
> >> >> + __u32 result = SCTP_STRRESET_DENIED;
> >> >> + __u32 request_seq;
> >> >> + __u16 i;
> >> >> +
> >> >> + request_seq = ntohl(tsnreq->request_seq);
> >> >> + if (request_seq > asoc->strreset_inseq) {
> >> >> + result = SCTP_STRRESET_ERR_BAD_SEQNO;
> >> >> + goto out;
> >> >> + } else if (request_seq == asoc->strreset_inseq) {
> >> >> + asoc->strreset_inseq++;
> >> >> + }
> >> >
> >> > I guess I already asked this, but.. why request_seq <
> >> > asoc->strreset_inseq is allowed?
> >> we can not just ignore or response with ERR.
> >> rfc6525#section-5.2.1:
> >>
> >> ... If the received RE-CONFIG chunk contains at least
> >> one request and based on the analysis of the Re-configuration Request
> >> Sequence Numbers this is the last received RE-CONFIG chunk (i.e., a
> > ^^^^^^^^^^^^^
> >> retransmission), the same RE-CONFIG chunk MUST to be sent back in
> >> response, as it was earlier.
> >
> > That means we should only re-process that *last* reconf request, and not
> > just any old one. My understanding is that we need something like:
> > + } else if (request_seq < asoc->strreset_inseq-1) {
> > + result = SCTP_STRRESET_ERR_BAD_SEQNO;
> > + goto out;
> > + }
> >
> > And then this makes it evident that we have to handle request_seq as
> > serial numbers (like TSNs are handled).
> Got you.
>
> Here is actually also a replay attack. If a duplicate request happens:
Yep.
>
> In sender side, If the request is not yet acked, it will just process the
> response as usual. If It's acked already, It will drop the duplicate
> response as no matched asoc->strreset_chunk any more. It's safe.
>
> But in receiver side. It will process stream/asoc again when receiving
> a duplicate request. If receiver side has processed some data chunks
> and tsn/ssn have been increased before this. we shouldn't process
> this request, but only send back a response with the original result.
> The problem is that we didn't save the result of last request.
Sender will stop sending DATA while the reset is happening. We probably
can use the "first DATA" as a trigger to then free the response chunk in
receiver, or the next request (as it can't have 2 requests at the same,
issuing the 2nd one means it got the ack for the previous one),
whichever happens first.
>
>
> >
> >
> >>
> >>
> >> >
> >> >> +
> >> >> + if (!(asoc->strreset_enable & SCTP_ENABLE_RESET_ASSOC_REQ))
> >> >> + goto out;
> >> >> +
> >> >> + if (asoc->strreset_outstanding) {
> >> >> + result = SCTP_STRRESET_ERR_IN_PROGRESS;
> >> >> + goto out;
> >> >> + }
> >> >> +
> >> >> + /* G3: The same processing as though a SACK chunk with no gap report
> >> >> + * and a cumulative TSN ACK of the Sender's Next TSN minus 1 were
> >> >> + * received MUST be performed.
> >> >> + */
> >> >> + max_tsn_seen = sctp_tsnmap_get_max_tsn_seen(&asoc->peer.tsn_map);
> >> >> + sctp_ulpq_reasm_flushtsn(&asoc->ulpq, max_tsn_seen);
> >> >> + sctp_ulpq_abort_pd(&asoc->ulpq, GFP_ATOMIC);
> >> >> +
> >> >> + /* G1: Compute an appropriate value for the Receiver's Next TSN -- the
> >> >> + * TSN that the peer should use to send the next DATA chunk. The
> >> >> + * value SHOULD be the smallest TSN not acknowledged by the
> >> >> + * receiver of the request plus 2^31.
> >> >> + */
> >> >> + init_tsn = sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map) + (1 << 31);
> >> >> + sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
> >> >> + init_tsn, GFP_ATOMIC);
> >> >> +
> >> >> + /* G4: The same processing as though a FWD-TSN chunk (as defined in
> >> >> + * [RFC3758]) with all streams affected and a new cumulative TSN
> >> >> + * ACK of the Receiver's Next TSN minus 1 were received MUST be
> >> >> + * performed.
> >> >> + */
> >> >> + sctp_outq_free(&asoc->outqueue);
> >> >> +
> >> >> + /* G2: Compute an appropriate value for the local endpoint's next TSN,
> >> >> + * i.e., the next TSN assigned by the receiver of the SSN/TSN reset
> >> >> + * chunk. The value SHOULD be the highest TSN sent by the receiver
> >> >> + * of the request plus 1.
> >> >> + */
> >> >> + next_tsn = asoc->next_tsn;
> >> >> + asoc->ctsn_ack_point = next_tsn - 1;
> >> >> + asoc->adv_peer_ack_point = asoc->ctsn_ack_point;
> >> >> +
> >> >> + /* G5: The next expected and outgoing SSNs MUST be reset to 0 for all
> >> >> + * incoming and outgoing streams.
> >> >> + */
> >> >> + for (i = 0; i < stream->outcnt; i++)
> >> >> + stream->out[i].ssn = 0;
> >> >> + for (i = 0; i < stream->incnt; i++)
> >> >> + stream->in[i].ssn = 0;
> >> >> +
> >> >> + result = SCTP_STRRESET_PERFORMED;
> >> >> +
> >> >> + *evp = sctp_ulpevent_make_assoc_reset_event(asoc, 0, init_tsn,
> >> >> + next_tsn, GFP_ATOMIC);
> >> >> +
> >> >> +out:
> >> >> + return sctp_make_strreset_tsnresp(asoc, result, request_seq,
> >> >> + next_tsn, init_tsn);
> >> >> +}
> >> >> --
> >> >> 2.1.0
> >> >>
> >> >> --
> >> >> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> >> >> the body of a message to majordomo@...r.kernel.org
> >> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >> >>
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> >> the body of a message to majordomo@...r.kernel.org
> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Powered by blists - more mailing lists