| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f3765a0c-1f57-e244-002e-148c88407f31@tessares.net>
Date: Tue, 15 Nov 2022 12:37:29 +0100
From: Matthieu Baerts <matthieu.baerts@...sares.net>
To: Geert Uytterhoeven <geert+renesas@...der.be>,
Jamie Bainbridge <jamie.bainbridge@...il.com>,
Eric Dumazet <edumazet@...gle.com>,
"David S . Miller" <davem@...emloft.net>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Ahern <dsahern@...nel.org>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Chris Down <chris@...isdown.name>,
Stephen Hemminger <stephen@...workplumber.org>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next] tcp: Fix tcp_syn_flood_action() if CONFIG_IPV6=n
Hi Geert,
On 15/11/2022 11:12, Geert Uytterhoeven wrote:
> If CONFIG_IPV6=n:
>
> net/ipv4/tcp_input.c: In function ‘tcp_syn_flood_action’:
> include/net/sock.h:387:37: error: ‘const struct sock_common’ has no member named ‘skc_v6_rcv_saddr’; did you mean ‘skc_rcv_saddr’?
> 387 | #define sk_v6_rcv_saddr __sk_common.skc_v6_rcv_saddr
> | ^~~~~~~~~~~~~~~~
> include/linux/printk.h:429:19: note: in definition of macro ‘printk_index_wrap’
> 429 | _p_func(_fmt, ##__VA_ARGS__); \
> | ^~~~~~~~~~~
> include/linux/printk.h:530:2: note: in expansion of macro ‘printk’
> 530 | printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
> | ^~~~~~
> include/linux/net.h:272:3: note: in expansion of macro ‘pr_info’
> 272 | function(__VA_ARGS__); \
> | ^~~~~~~~
> include/linux/net.h:288:2: note: in expansion of macro ‘net_ratelimited_function’
> 288 | net_ratelimited_function(pr_info, fmt, ##__VA_ARGS__)
> | ^~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/net.h:288:43: note: in expansion of macro ‘sk_v6_rcv_saddr’
> 288 | net_ratelimited_function(pr_info, fmt, ##__VA_ARGS__)
> | ^~~~~~~~~~~
> net/ipv4/tcp_input.c:6847:4: note: in expansion of macro ‘net_info_ratelimited’
> 6847 | net_info_ratelimited("%s: Possible SYN flooding on port [%pI6c]:%u. %s.\n",
> | ^~~~~~~~~~~~~~~~~~~~
>
> Fix this by using "#if" instead of "if", like is done for all other
> checks for CONFIG_IPV6.
Thank you for the patch!
Our CI validating MPTCP also found the issue. I was going to suggest a
similar one before I saw yours :)
Everything is fixed on my side after having applied the patch!
Tested-by: Matthieu Baerts <matthieu.baerts@...sares.net>
> Fixes: d9282e48c6088105 ("tcp: Add listening address to SYN flood message")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@...der.be>
> ---
> net/ipv4/tcp_input.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 94024fdc2da1b28a..e5d7a33fac6666bb 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -6843,11 +6843,14 @@ static bool tcp_syn_flood_action(const struct sock *sk, const char *proto)
>
> if (!queue->synflood_warned && syncookies != 2 &&
> xchg(&queue->synflood_warned, 1) == 0) {
> - if (IS_ENABLED(CONFIG_IPV6) && sk->sk_family == AF_INET6) {
> +#if IS_ENABLED(CONFIG_IPV6)
> + if (sk->sk_family == AF_INET6) {
> net_info_ratelimited("%s: Possible SYN flooding on port [%pI6c]:%u. %s.\n",
> proto, &sk->sk_v6_rcv_saddr,
> sk->sk_num, msg);
> - } else {
> + } else
> +#endif
> + {
I was going to suggest to remove the unneeded braces here and just
before + eventually fix the indentation under net_info_ratelimited()
while at it but that's just some details not directly linked to the fix
here.
Cheers,
Matt
--
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net
Powered by blists - more mailing lists