lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Wed, 28 May 2008 19:30:37 -0700
From:	"Adam Langley" <agl@...erialviolet.org>
To:	netdev@...r.kernel.org
Subject: SACK + MD5 overflows TCP options space

in tcp_output.c:tcp_transmit_skb we have:

ifdef CONFIG_TCP_MD5SIG
	/*
	 * Are we doing MD5 on this segment? If so - make
	 * room for it.
	 */
	md5 = tp->af_specific->md5_lookup(sk, sk);
	if (md5)
		tcp_header_size += TCPOLEN_MD5SIG_ALIGNED;
#endif

However, the SACK option can be at least 18 bytes long (I've not
checked the code here, I've just observed a packet go by with that
much SACK in it). With alignment padding, that's 20 bytes. Plus 12
bytes of timestamp option (aligned). Then, adding 18 bytes of MD5SIG
rolls the TCP header size over and we produce garbage, right?

I'm only asking because I've a patch which adds a similar option and,
when SACK kicks in, I'm getting TCP header sizes of 0 or 8 bytes. If
there's a solution to the MD5 case that I'm missing I'd love to use
it. (Otherwise, I've another bodge up my sleeves)


Cheers

-- 
Adam Langley agl@...erialviolet.org http://www.imperialviolet.org
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists