lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 24 Apr 2022 12:36:57 -0700
From:   Eric Dumazet <edumazet@...gle.com>
To:     Francesco Ruggeri <fruggeri@...sta.com>
Cc:     Paolo Abeni <pabeni@...hat.com>, Jakub Kicinski <kuba@...nel.org>,
        David Ahern <dsahern@...nel.org>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Miller <davem@...emloft.net>,
        LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH v2 net] tcp: md5: incorrect tcp_header_len for incoming connections

On Wed, Apr 20, 2022 at 5:50 PM Francesco Ruggeri <fruggeri@...sta.com> wrote:
>
> In tcp_create_openreq_child we adjust tcp_header_len for md5 using the
> remote address in newsk. But that address is still 0 in newsk at this
> point, and it is only set later by the callers (tcp_v[46]_syn_recv_sock).
> Use the address from the request socket instead.
>
> v2: Added "Fixes:" line.
>
> Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
> Signed-off-by: Francesco Ruggeri <fruggeri@...sta.com>
> ---
>  net/ipv4/tcp_minisocks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
> index 6366df7aaf2a..6854bb1fb32b 100644
> --- a/net/ipv4/tcp_minisocks.c
> +++ b/net/ipv4/tcp_minisocks.c
> @@ -531,7 +531,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
>         newtp->tsoffset = treq->ts_off;
>  #ifdef CONFIG_TCP_MD5SIG
>         newtp->md5sig_info = NULL;      /*XXX*/
> -       if (newtp->af_specific->md5_lookup(sk, newsk))
> +       if (treq->af_specific->req_md5_lookup(sk, req_to_sk(req)))

Wait a minute.

Are you sure treq->af_specific is initialized at this point ?

I should have tested this one liner patch really :/

I think that for syncookies, treq->af_specific is not initialized,
because we do not go through
tcp_conn_request() helper, but instead use cookie_tcp_reqsk_alloc()

Before your patch treq->af_specific was only used during SYNACK
generation, which does not happen in syncookie more while receiving
the third packet.

I will test something like this patch. We could move the init after
cookie_tcp_reqsk_alloc() has been called, but I prefer using the same
construct than tcp_conn_request()

diff --git a/include/net/tcp.h b/include/net/tcp.h
index be712fb9ddd71b2b320356677f3aa1c6759e2698..9987b3fba9f202632916cc439af9d17f1e68bcd3
100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -480,6 +480,7 @@ int __cookie_v4_check(const struct iphdr *iph,
const struct tcphdr *th,
                      u32 cookie);
 struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb);
 struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
+                                           const struct
tcp_request_sock_ops *af_ops,
                                            struct sock *sk, struct
sk_buff *skb);
 #ifdef CONFIG_SYN_COOKIES

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 2cb3b852d14861231ac47f0b3e4daeb57682ffd2..f191bfa996d71f11ef786a0a3bcb8f737622d37a
100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -281,6 +281,7 @@ bool cookie_ecn_ok(const struct
tcp_options_received *tcp_opt,
 EXPORT_SYMBOL(cookie_ecn_ok);

 struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
+                                           const struct
tcp_request_sock_ops *af_ops,
                                            struct sock *sk,
                                            struct sk_buff *skb)
 {
@@ -297,6 +298,8 @@ struct request_sock *cookie_tcp_reqsk_alloc(const
struct request_sock_ops *ops,
                return NULL;

        treq = tcp_rsk(req);
+       /* treq->af_specific might be used to perform TCP_MD5 lookup */
+       treq->af_specific = af_ops;
        treq->syn_tos = TCP_SKB_CB(skb)->ip_dsfield;
 #if IS_ENABLED(CONFIG_MPTCP)
        treq->is_mptcp = sk_is_mptcp(sk);
@@ -364,7 +367,8 @@ struct sock *cookie_v4_check(struct sock *sk,
struct sk_buff *skb)
                goto out;

        ret = NULL;
-       req = cookie_tcp_reqsk_alloc(&tcp_request_sock_ops, sk, skb);
+       req = cookie_tcp_reqsk_alloc(&tcp_request_sock_ops,
+                                    &tcp_request_sock_ipv4_ops, sk, skb);
        if (!req)
                goto out;

diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index d1b61d00368e1f58725e9997f74a0b144901277e..9cc123f000fbcfbeff7728bfee5339d6dd6470f9
100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -170,7 +170,8 @@ struct sock *cookie_v6_check(struct sock *sk,
struct sk_buff *skb)
                goto out;

        ret = NULL;
-       req = cookie_tcp_reqsk_alloc(&tcp6_request_sock_ops, sk, skb);
+       req = cookie_tcp_reqsk_alloc(&tcp6_request_sock_ops,
+                                    &tcp_request_sock_ipv6_ops, sk, skb);
        if (!req)
                goto out;

Powered by blists - more mailing lists