lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Apr 2022 12:26:57 +0200 From: Florian Westphal <fw@...len.de> To: Jozsef Kadlecsik <kadlec@...filter.org> Cc: Florian Westphal <fw@...len.de>, Neal Cardwell <ncardwell@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Jaco Kroon <jaco@....co.za>, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections Jozsef Kadlecsik <kadlec@...filter.org> wrote: > I'd merge the two conditions so that it'd cover both original condition > branches: > > diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c > index 8ec55cd72572..87375ce2f995 100644 > --- a/net/netfilter/nf_conntrack_proto_tcp.c > +++ b/net/netfilter/nf_conntrack_proto_tcp.c > @@ -556,33 +556,26 @@ static bool tcp_in_window(struct nf_conn *ct, > } > > } > - } else if (((state->state == TCP_CONNTRACK_SYN_SENT > - && dir == IP_CT_DIR_ORIGINAL) > - || (state->state == TCP_CONNTRACK_SYN_RECV > - && dir == IP_CT_DIR_REPLY)) > - && after(end, sender->td_end)) { > + } else if (tcph->syn && > + ((after(end, sender->td_end) && > + (state->state == TCP_CONNTRACK_SYN_SENT || > + state->state == TCP_CONNTRACK_SYN_RECV)) || > + (dir == IP_CT_DIR_REPLY && > + state->state == TCP_CONNTRACK_SYN_SENT))) { Thats what I did as well, I merged the two branches but I made the 2nd clause stricter to also consider the after() test; it would no longer re-init for syn-acks when sequence did not advance. Then, dir == IP_CT_DIR_REPLY && state == SYN_SENT is already covered by earlier test and can be elided. I'm fine with your version though, will you submit a patch?
Powered by blists - more mailing lists