| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iLH1j-mNeNWUGKvwe55Wgv488X2WT-_Rry0vFN89sJjLQ@mail.gmail.com>
Date: Tue, 26 Jul 2022 18:49:56 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: netdev <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
Cong Wang <cong.wang@...edance.com>,
syzbot <syzbot+a0e6f8738b58f7654417@...kaller.appspotmail.com>,
Stanislav Fomichev <sdf@...gle.com>,
John Fastabend <john.fastabend@...il.com>
Subject: Re: [Patch bpf-next] tcp: fix sock skb accounting in tcp_read_skb()
On Tue, Jul 26, 2022 at 6:47 PM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Tue, Jul 26, 2022 at 6:14 PM Cong Wang <xiyou.wangcong@...il.com> wrote:
>
> > If TCP really wants to queue a FIN with skb->len==0, then we have to
> > adjust the return value for recv_actor(), because we currently use 0 as
> > an error too (meaning no data is consumed):
> >
> > if (sk_psock_verdict_apply(psock, skb, ret) < 0)
> > len = 0; // here!
> > out:
> > rcu_read_unlock();
> > return len;
> >
> >
> > BTW, what is wrong if we simply drop it before queueing to
> > sk_receive_queue in TCP? Is it there just for collapse?
>
> Because an incoming segment can have payload and FIN.
>
> The consumer will need to consume the payload before FIN is considered/consumed,
> with the complication of MSG_PEEK ...
>
> Right after tcp_read_skb() removes the skb from sk_receive_queue,
> we need to update TCP state, regardless of recv_actor().
>
> Maybe like that:
>
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index ba2bdc81137490bd1748cde95789f8d2bff3ab0f..6e2c11cd921872e406baffc475c9870e147578a1
> 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -1759,20 +1759,15 @@ int tcp_read_skb(struct sock *sk,
> skb_read_actor_t recv_actor)
> int used;
>
> __skb_unlink(skb, &sk->sk_receive_queue);
> + seq = TCP_SKB_CB(skb)->end_seq;
> used = recv_actor(sk, skb);
> if (used <= 0) {
> if (!copied)
> copied = used;
> break;
> }
> - seq += used;
> copied += used;
>
> - if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) {
> - consume_skb(skb);
> - ++seq;
> - break;
> - }
> consume_skb(skb);
> break;
> }
Or even better:
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index ba2bdc81137490bd1748cde95789f8d2bff3ab0f..66c187a2592c042565211565adb3f40a811dfd7d
100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1759,21 +1759,15 @@ int tcp_read_skb(struct sock *sk,
skb_read_actor_t recv_actor)
int used;
__skb_unlink(skb, &sk->sk_receive_queue);
+ seq = TCP_SKB_CB(skb)->end_seq;
used = recv_actor(sk, skb);
+ consume_skb(skb);
if (used <= 0) {
if (!copied)
copied = used;
break;
}
- seq += used;
copied += used;
-
- if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) {
- consume_skb(skb);
- ++seq;
- break;
- }
- consume_skb(skb);
break;
}
WRITE_ONCE(tp->copied_seq, seq);
Powered by blists - more mailing lists