lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b9833b748f61c043a2827daee060d4ad4171996e.camel@redhat.com>
Date:   Mon, 16 Dec 2019 13:52:12 +0100
From:   Paolo Abeni <pabeni@...hat.com>
To:     Eric Dumazet <eric.dumazet@...il.com>,
        Mat Martineau <mathew.j.martineau@...ux.intel.com>,
        netdev@...r.kernel.org, mptcp@...ts.01.org
Subject: Re: [MPTCP] Re: [PATCH net-next 09/11] tcp: Check for filled TCP
 option space before SACK

Hi,

On Fri, 2019-12-13 at 15:22 -0800, Eric Dumazet wrote:
> 
> On 12/13/19 3:00 PM, Mat Martineau wrote:
> > The SACK code would potentially add four bytes to the expected
> > TCP option size even if all option space was already used.
> > 
> > Signed-off-by: Mat Martineau <mathew.j.martineau@...ux.intel.com>
> > ---
> >  net/ipv4/tcp_output.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
> > index 9e04d45bc0e4..710ab45badfa 100644
> > --- a/net/ipv4/tcp_output.c
> > +++ b/net/ipv4/tcp_output.c
> > @@ -748,6 +748,9 @@ static unsigned int tcp_established_options(struct sock *sk, struct sk_buff *skb
> >  		size += TCPOLEN_TSTAMP_ALIGNED;
> >  	}
> >  
> > +	if (size + TCPOLEN_SACK_BASE_ALIGNED >= MAX_TCP_OPTION_SPACE)
> > +		return size;
> > +
> >  	eff_sacks = tp->rx_opt.num_sacks + tp->rx_opt.dsack;
> >  	if (unlikely(eff_sacks)) {
> >  		const unsigned int remaining = MAX_TCP_OPTION_SPACE - size;
> > 
> 
> Hmmm... I thought I already fixed this issue ?
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9424e2e7ad93ffffa88f882c9bc5023570904b55
> 
> Please do not mix fixes (targeting net tree) in a patch series targeting net-next

Thank you for the feedback!

Unfortunatelly, the above commit is not enough when MPTCP is enabled,
as, without this patch, we can reach the following code:

		const unsigned int remaining = MAX_TCP_OPTION_SPACE - size;
		opts->num_sack_blocks =
			min_t(unsigned int, eff_sacks,
			      (remaining - TCPOLEN_SACK_BASE_ALIGNED) /
			      TCPOLEN_SACK_PERBLOCK);

with 'size == MAX_TCP_OPTION_SPACE' and num_sack_blocks will be
miscalculated. So we need 'fix' but only for MPTCP/when MPTCP is
enabled. Still ok for a -net commit?

Additionally we can clean-up the fix a bit, using something alike the
following, so that it will never add an additional branching
istruction.

---
+               if (unlikely(remaining < TCPOLEN_SACK_BASE_ALIGNED +
+                                        TCPOLEN_SACK_PERBLOCK))
+                       return size;
+
                opts->num_sack_blocks =
                        min_t(unsigned int, eff_sacks,
                              (remaining - TCPOLEN_SACK_BASE_ALIGNED) /
                              TCPOLEN_SACK_PERBLOCK);
-               if (likely(opts->num_sack_blocks))
-                       size += TCPOLEN_SACK_BASE_ALIGNED +
-                               opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
+
+               size += TCPOLEN_SACK_BASE_ALIGNED +
+                       opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
---

Thank you!

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ