lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4B5078BB.40306@gmail.com>
Date: Fri, 15 Jan 2010 09:16:27 -0500
From: William Allen Simpson <william.allen.simpson@...il.com>
To: Linux Kernel Developers <linux-kernel@...r.kernel.org>
CC: Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: [PATCH] tcp: input header length, prediction, and timestamp bugs
Fix incorrect header prediction flags documentation.
Don't use output calculated tp->tcp_header_len for input decisions.
While the output header is usually the same as the input (same options
in both directions), that's a poor assumption. In particular, Sack will
be different. Newer options are not guaranteed.
Moreover, in the fast path, that only saved a shift or two. The other
efficiencies in this patch more than make up the difference.
Instead, use tp->rx_opt.tstamp_ok to accurately predict header length.
Likewise, use tp->rx_opt.tstamp_ok for received MSS calculations.
Don't use "sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED" to guess that
the timestamp is present. This may have been OK in the days with fewer
possible options, but various combinations of newer options may yield
the same header length.
Instead, use tp->rx_opt.saw_tstamp to determine a timestamp is present.
(This bug is in 3 places.)
There's no need to test buffer length against header length, already
checked by tcp_v[4,6]_rcv(). Straighten code for minor efficiency gain.
Don't overload tp->tcp_header_len by temporarily storing predicted
header length. It's wiped later by the output code, and very confusing.
Instead, the simpler __tcp_fast_path_header_length() can also be used
for the same purpose, at the cost of a branch, but the substantial
savings of removing the extra store and re-load.
Finally, don't use TCPOLEN_MD5SIG_ALIGNED in the tcp_minisock.c
last_seg_size calculations. It's not used in all other places, and may
result in a too short estimate.
Instead, use the same calculations as tp->advmss in tcp_input.c.
Stand-alone patch, originally developed for TCPCT.
Requires:
net: tcp_header_len_th and tcp_option_len_th
tcp: harmonize tcp_vx_rcv header length assumptions
Signed-off-by: William.Allen.Simpson@...il.com
---
include/linux/tcp.h | 6 ++-
include/net/tcp.h | 9 ++++-
net/ipv4/tcp_input.c | 92 ++++++++++++++++------------------------------
net/ipv4/tcp_minisocks.c | 10 ++---
4 files changed, 49 insertions(+), 68 deletions(-)
View attachment "len_th+4v1.patch" of type "text/plain" (7838 bytes)
Powered by blists - more mailing lists