lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 9 Feb 2009 15:28:09 +0200 (EET)
From:	"Ilpo Järvinen" <ilpo.jarvinen@...sinki.fi>
To:	Herbert Xu <herbert@...dor.apana.org.au>
cc:	David Miller <davem@...emloft.net>, jeff.chua.linux@...il.com,
	rjw@...k.pl, torvalds@...ux-foundation.org,
	LKML <linux-kernel@...r.kernel.org>,
	Netdev <netdev@...r.kernel.org>
Subject: Re: commit 64ff3b938ec6782e6585a83d5459b98b0c3f6eb8 breaks rlogin

On Mon, 9 Feb 2009, Herbert Xu wrote:

> On Mon, Feb 09, 2009 at 09:13:00AM +0200, Ilpo Järvinen wrote:
> > 
> > Hmm, what happens if a opposite dir ACK gets sent (it's zero sized seqno
> > range will be above urgent sequence when urg is not yet acknowledged)? So
> > we'll take the later branch after your change and send bogus 0xffff urg?
> > I think you're change might have actually broken bidir tcp completely (and
> > probably window probing as well under some conditions). Congraz, two flies
> > with a single stroke :-). You would have needed an additional check that
> > the tcb->seq is below urg...
> > 
> > ...Below is a patch but Jeff might need to revert the revert first if
> > he tests with the latest Linus' tree.
> 
> Good point! That would definitely explain this.
>  
> > [PATCH] tcp: check that we're still < urg instead of sending a bogus one
> > 
> > Opposite dir ACK with zero sized seqno range can go into the
> > later condition once urg is in the outstanding window not
> > yet acknowledge (we're still in urg mode but seqno we sent in
> > the ack won't be below snd_up). Need to check that we never
> > advertize bogus urg for a segment which is after the snd_up.
> > 
> > Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@...sinki.fi>
> > ---
> >  net/ipv4/tcp_output.c |    3 ++-
> >  1 files changed, 2 insertions(+), 1 deletions(-)
> > 
> > diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> > index 557fe16..c808d73 100644
> > --- a/net/ipv4/tcp_output.c
> > +++ b/net/ipv4/tcp_output.c
> > @@ -667,7 +667,8 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
> >  		if (between(tp->snd_up, tcb->seq + 1, tcb->seq + 0xFFFF)) {
> >  			th->urg_ptr = htons(tp->snd_up - tcb->seq);
> >  			th->urg = 1;
> > -		} else if (after(tcb->seq + 0xFFFF, tp->snd_nxt)) {
> > +		} else if (after(tcb->seq + 0xFFFF, tp->snd_nxt) &&
> > +			   before(tcb->seq, tcp->snd_up)) {
> >  			th->urg_ptr = 0xFFFF;
> >  			th->urg = 1;
> >  		}
> 
> We could rewrite this as
> 
> 	if (unlikely(tcp_urg_mode(tp) && before(tcb->seq, tcp->snd_up))) {
> 		if (before(tp->sndup, tcb->seq + 0x10000)) {
> 			th->urg_ptr = htons(tp->snd_up - tcb->seq);
> 			th->urg = 1;
> 		} else if (after(tcb->seq + 0xFFFF, tp->snd_nxt)) {
> 			th->urg_ptr = 0xFFFF;
> 			th->urg = 1;
> 		}
> 	}

Yes, that should work too except the gcc catchable typo.


-- 
 i.

Powered by blists - more mailing lists