lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 01 Feb 2012 08:53:53 +0100
From:	Eric Dumazet <>
To:	Shawn Lu <>
Cc:	"" <>,
	"" <>,
	"" <>
Subject: RE: [PATCH] tcp: md5: fix md5 RST when both sides have listener

Le mercredi 01 février 2012 à 02:48 -0500, Shawn Lu a écrit :
> Hi, Eric:
> How about change the title and log to following:
>   tcp: md5: RST: getting md5 key from listener
>     TCP RST mechanism is broken in TCP md5(RFC2385). When
>     connection is gone, md5 key is lost, sending RST
>     without md5 hash is deem to ignored by peer. This can
>     be a problem since RST help protocal like bgp to fast
>     recove from peer crash.
>     In most case, users of tcp md5, such as bgp and ldp,
>     have listener on both side to accept connection from peer.
>     md5 keys for peers are saved in listening socket.
>     There are two cases in finding md5 key when connection is
>     lost:
>     1.Passive receive RST: The message is send to well known port,
>     tcp will associate packet with listener. md5 key can be gotten
>     from listener.
>     2.Active receive RST (no sock): The message is send to ative
>     side, there is no socket associated with message. In this case,
>     finding listener from source port, then find md5 key from
>     listener.
>     we are not loosing sercuriy here:
>     packet is checked with md5 hash. No RST is generated
>     if md5 hash doesn't match or no md5 key can be found.
> Note:
> Will send out a new version that is on top of your new patch
> -- "tcp: md5: protects md5sig_info with RCU"

Seems good to me !

By the way, is the patch going to work if netfilter conntrack is
enabled ?

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists