| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3b92167c-201c-e85d-822d-06f0c9ac508c@linux.alibaba.com>
Date: Mon, 9 Nov 2020 18:12:40 +0800
From: Mao Wenan <wenan.mao@...ux.alibaba.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: David Miller <davem@...emloft.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Jakub Kicinski <kuba@...nel.org>,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH net v2] net: Update window_clamp if SOCK_RCVBUF is set
在 2020/11/9 下午5:56, Eric Dumazet 写道:
> On Mon, Nov 9, 2020 at 10:33 AM Mao Wenan <wenan.mao@...ux.alibaba.com> wrote:
>>
>> When net.ipv4.tcp_syncookies=1 and syn flood is happened,
>> cookie_v4_check or cookie_v6_check tries to redo what
>> tcp_v4_send_synack or tcp_v6_send_synack did,
>> rsk_window_clamp will be changed if SOCK_RCVBUF is set,
>> which will make rcv_wscale is different, the client
>> still operates with initial window scale and can overshot
>> granted window, the client use the initial scale but local
>> server use new scale to advertise window value, and session
>> work abnormally.
>
> What is not working exactly ?
>
> Sending a 'big wscale' should not really matter, unless perhaps there
> is a buggy stack at the remote end ?
1)in tcp_v4_send_synack, if SO_RCVBUF is set and
tcp_full_space(sk)=65535, pass req->rsk_window_clamp=65535 to
tcp_select_initial_window, rcv_wscale will be zero, and send to client,
the client consider wscale is 0;
2)when ack is back from client, if there is no this patch,
req->rsk_window_clamp is 0, and pass to tcp_select_initial_window,
wscale will be 7, this new rcv_wscale is no way to advertise to client.
3)if server send rcv_wind to client with window=63, it consider the real
window is 63*2^7=8064, but client consider the server window is only
63*2^0=63, it can't send big packet to server, and the send-q of client
is full.
>
>>
>> Signed-off-by: Mao Wenan <wenan.mao@...ux.alibaba.com>
>> ---
>> v2: fix for ipv6.
>> net/ipv4/syncookies.c | 4 ++++
>> net/ipv6/syncookies.c | 5 +++++
>> 2 files changed, 9 insertions(+)
>>
>> diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
>> index 6ac473b..57ce317 100644
>> --- a/net/ipv4/syncookies.c
>> +++ b/net/ipv4/syncookies.c
>> @@ -427,6 +427,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
>>
>> /* Try to redo what tcp_v4_send_synack did. */
>> req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW);
>> + /* limit the window selection if the user enforce a smaller rx buffer */
>> + if (sk->sk_userlocks & SOCK_RCVBUF_LOCK &&
>> + (req->rsk_window_clamp > tcp_full_space(sk) || req->rsk_window_clamp == 0))
>> + req->rsk_window_clamp = tcp_full_space(sk);
>
> This seems not needed to me.
>
> We call tcp_select_initial_window() with tcp_full_space(sk) passed as
> the 2nd parameter.
>
> tcp_full_space(sk) will then apply :
>
> space = min(*window_clamp, space);
if cookie_v4_check pass window_clamp=0 to tcp_select_initial_window, it
will set window_clamp to max value.
(*window_clamp) = (U16_MAX << TCP_MAX_WSCALE);
but space will fetch from sysctl_rmem_max and sysctl_tcp_rmem[2] which
is also big value.
space = max_t(u32, space, sock_net(sk)->ipv4.sysctl_tcp_rmem[2]);
space = max_t(u32, space, sysctl_rmem_max);
Then,space = min(*window_clamp, space) is a big value, lead wscale to 7,
is different from tcp_v4_send_synack.
>
> Please cook a packetdrill test to demonstrate what you are seeing ?
>
I have real environment and reproduce this case, this patch can fix
that, i will try to use packetdrill with syn cookies and syn flood happen.
Powered by blists - more mailing lists