| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1268076495.2819.57.camel@edumazet-laptop>
Date: Mon, 08 Mar 2010 20:28:15 +0100
From: Eric Dumazet <eric.dumazet@...il.com>
To: Penttilä Mika <mika.penttila@...nos.com>,
David Miller <davem@...emloft.net>
Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
William Allen Simpson <william.allen.simpson@...il.com>
Subject: RE: TCP_COOKIE_TRANSACTIONS synack data
Le lundi 08 mars 2010 à 18:33 +0200, Penttilä Mika a écrit :
> >
> > Le lundi 08 mars 2010 à 16:27 +0200, Penttilä Mika a écrit :
> > > The TCP_COOKIE_TRANSACTIONS synack data seems pretty unsafe atm.
> > > >From tcp_make_synack():
> > >
> > >
> > > u8 *buf = skb_put(skb, cvp->s_data_desired);
> > >
> > > /* copy data directly from the listening socket. */
> > > memcpy(buf, cvp->s_data_payload, cvp->s_data_desired);
> > >
> > >
> > > The skb here is allocated for MAX_TCP_HEADER + 15 and synack data
> > could be as long as TCP_MSS_DEFAULT, panic():ing at the skb_put().
> > >
> >
> > Indeed, since start of december 2009.
> >
> > Do you plan to provide a patch do you prefer someone else take care of
> > it ?
> >
>
> I'm not planning to provide a patch at least very soon so I think someone else can provide a quicker fix.
>
>
OK thanks Mika !
I suspect following patch might be an appropriate fix for this problem.
[PATCH] tcp: Fix tcp_make_synack()
Commit 4957faad (TCPCT part 1g: Responder Cookie => Initiator), part
of TCP_COOKIE_TRANSACTION implementation, forgot to correctly size
synack skb in case user data must be included.
Many thanks to Mika Pentillä for spotting this error.
Reported-by: Penttillä Mika <mika.penttila@...nos.com>
Signed-off-by: Eric Dumazet <eric.dumazet@...il.com>
---
net/ipv4/tcp_output.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 4a1605d..f181b78 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2395,13 +2395,17 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
struct tcp_extend_values *xvp = tcp_xv(rvp);
struct inet_request_sock *ireq = inet_rsk(req);
struct tcp_sock *tp = tcp_sk(sk);
+ const struct tcp_cookie_values *cvp = tp->cookie_values;
struct tcphdr *th;
struct sk_buff *skb;
struct tcp_md5sig_key *md5;
int tcp_header_size;
int mss;
+ int s_data_desired = 0;
- skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
+ if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
+ s_data_desired = cvp->s_data_desired;
+ skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
if (skb == NULL)
return NULL;
@@ -2457,16 +2461,12 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
TCPCB_FLAG_SYN | TCPCB_FLAG_ACK);
if (OPTION_COOKIE_EXTENSION & opts.options) {
- const struct tcp_cookie_values *cvp = tp->cookie_values;
-
- if (cvp != NULL &&
- cvp->s_data_constant &&
- cvp->s_data_desired > 0) {
- u8 *buf = skb_put(skb, cvp->s_data_desired);
+ if (s_data_desired) {
+ u8 *buf = skb_put(skb, s_data_desired);
/* copy data directly from the listening socket. */
- memcpy(buf, cvp->s_data_payload, cvp->s_data_desired);
- TCP_SKB_CB(skb)->end_seq += cvp->s_data_desired;
+ memcpy(buf, cvp->s_data_payload, s_data_desired);
+ TCP_SKB_CB(skb)->end_seq += s_data_desired;
}
if (opts.hash_size > 0) {
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists