[v2,net] tcp: md5: incorrect tcp_header_len for incoming connections

Commit Message

Francesco Ruggeri April 21, 2022, 12:50 a.m. UTC

In tcp_create_openreq_child we adjust tcp_header_len for md5 using the
remote address in newsk. But that address is still 0 in newsk at this
point, and it is only set later by the callers (tcp_v[46]_syn_recv_sock).
Use the address from the request socket instead.

v2: Added "Fixes:" line.

Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
---
 net/ipv4/tcp_minisocks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Eric Dumazet April 21, 2022, 2 a.m. UTC | #1

On Wed, Apr 20, 2022 at 5:50 PM Francesco Ruggeri <fruggeri@arista.com> wrote:
>
> In tcp_create_openreq_child we adjust tcp_header_len for md5 using the
> remote address in newsk. But that address is still 0 in newsk at this
> point, and it is only set later by the callers (tcp_v[46]_syn_recv_sock).
> Use the address from the request socket instead.
>
>
>
> Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
> Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>

Thanks for fixing this Francesco.

Reviewed-by: Eric Dumazet <edumazet@google.com>

patchwork-bot+netdevbpf@kernel.org April 22, 2022, 10:20 p.m. UTC | #2

Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 20 Apr 2022 17:50:26 -0700 you wrote:
> In tcp_create_openreq_child we adjust tcp_header_len for md5 using the
> remote address in newsk. But that address is still 0 in newsk at this
> point, and it is only set later by the callers (tcp_v[46]_syn_recv_sock).
> Use the address from the request socket instead.
> 
> v2: Added "Fixes:" line.
> 
> [...]

Here is the summary with links:
  - [v2,net] tcp: md5: incorrect tcp_header_len for incoming connections
    https://git.kernel.org/netdev/net/c/5b0b9e4c2c89

You are awesome, thank you!

Eric Dumazet April 24, 2022, 7:36 p.m. UTC | #3

On Wed, Apr 20, 2022 at 5:50 PM Francesco Ruggeri <fruggeri@arista.com> wrote:
>
> In tcp_create_openreq_child we adjust tcp_header_len for md5 using the
> remote address in newsk. But that address is still 0 in newsk at this
> point, and it is only set later by the callers (tcp_v[46]_syn_recv_sock).
> Use the address from the request socket instead.
>
> v2: Added "Fixes:" line.
>
> Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
> Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
> ---
>  net/ipv4/tcp_minisocks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
> index 6366df7aaf2a..6854bb1fb32b 100644
> --- a/net/ipv4/tcp_minisocks.c
> +++ b/net/ipv4/tcp_minisocks.c
> @@ -531,7 +531,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
>         newtp->tsoffset = treq->ts_off;
>  #ifdef CONFIG_TCP_MD5SIG
>         newtp->md5sig_info = NULL;      /*XXX*/
> -       if (newtp->af_specific->md5_lookup(sk, newsk))
> +       if (treq->af_specific->req_md5_lookup(sk, req_to_sk(req)))

Wait a minute.

Are you sure treq->af_specific is initialized at this point ?

I should have tested this one liner patch really :/

I think that for syncookies, treq->af_specific is not initialized,
because we do not go through
tcp_conn_request() helper, but instead use cookie_tcp_reqsk_alloc()

Before your patch treq->af_specific was only used during SYNACK
generation, which does not happen in syncookie more while receiving
the third packet.

I will test something like this patch. We could move the init after
cookie_tcp_reqsk_alloc() has been called, but I prefer using the same
construct than tcp_conn_request()

diff --git a/include/net/tcp.h b/include/net/tcp.h
index be712fb9ddd71b2b320356677f3aa1c6759e2698..9987b3fba9f202632916cc439af9d17f1e68bcd3
100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -480,6 +480,7 @@ int __cookie_v4_check(const struct iphdr *iph,
const struct tcphdr *th,
                      u32 cookie);
 struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb);
 struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
+                                           const struct
tcp_request_sock_ops *af_ops,
                                            struct sock *sk, struct
sk_buff *skb);
 #ifdef CONFIG_SYN_COOKIES

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 2cb3b852d14861231ac47f0b3e4daeb57682ffd2..f191bfa996d71f11ef786a0a3bcb8f737622d37a
100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -281,6 +281,7 @@ bool cookie_ecn_ok(const struct
tcp_options_received *tcp_opt,
 EXPORT_SYMBOL(cookie_ecn_ok);

 struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
+                                           const struct
tcp_request_sock_ops *af_ops,
                                            struct sock *sk,
                                            struct sk_buff *skb)
 {
@@ -297,6 +298,8 @@ struct request_sock *cookie_tcp_reqsk_alloc(const
struct request_sock_ops *ops,
                return NULL;

        treq = tcp_rsk(req);
+       /* treq->af_specific might be used to perform TCP_MD5 lookup */
+       treq->af_specific = af_ops;
        treq->syn_tos = TCP_SKB_CB(skb)->ip_dsfield;
 #if IS_ENABLED(CONFIG_MPTCP)
        treq->is_mptcp = sk_is_mptcp(sk);
@@ -364,7 +367,8 @@ struct sock *cookie_v4_check(struct sock *sk,
struct sk_buff *skb)
                goto out;

        ret = NULL;
-       req = cookie_tcp_reqsk_alloc(&tcp_request_sock_ops, sk, skb);
+       req = cookie_tcp_reqsk_alloc(&tcp_request_sock_ops,
+                                    &tcp_request_sock_ipv4_ops, sk, skb);
        if (!req)
                goto out;

diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index d1b61d00368e1f58725e9997f74a0b144901277e..9cc123f000fbcfbeff7728bfee5339d6dd6470f9
100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -170,7 +170,8 @@ struct sock *cookie_v6_check(struct sock *sk,
struct sk_buff *skb)
                goto out;

        ret = NULL;
-       req = cookie_tcp_reqsk_alloc(&tcp6_request_sock_ops, sk, skb);
+       req = cookie_tcp_reqsk_alloc(&tcp6_request_sock_ops,
+                                    &tcp_request_sock_ipv6_ops, sk, skb);
        if (!req)
                goto out;

Francesco Ruggeri April 25, 2022, 5:55 p.m. UTC | #4

On Sun, Apr 24, 2022 at 12:37 PM Eric Dumazet <edumazet@google.com> wrote:
>
> Wait a minute.
>
> Are you sure treq->af_specific is initialized at this point ?
>
> I should have tested this one liner patch really :/
>
> I think that for syncookies, treq->af_specific is not initialized,
> because we do not go through
> tcp_conn_request() helper, but instead use cookie_tcp_reqsk_alloc()
>
> Before your patch treq->af_specific was only used during SYNACK
> generation, which does not happen in syncookie more while receiving
> the third packet.
>
> I will test something like this patch. We could move the init after
> cookie_tcp_reqsk_alloc() has been called, but I prefer using the same
> construct than tcp_conn_request()
>

Thanks for fixing this Eric. I had not considered syncookies.

Francesco

Patch

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 6366df7aaf2a..6854bb1fb32b 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -531,7 +531,7 @@  struct sock *tcp_create_openreq_child(const struct sock *sk,
 	newtp->tsoffset = treq->ts_off;
 #ifdef CONFIG_TCP_MD5SIG
 	newtp->md5sig_info = NULL;	/*XXX*/
-	if (newtp->af_specific->md5_lookup(sk, newsk))
+	if (treq->af_specific->req_md5_lookup(sk, req_to_sk(req)))
 		newtp->tcp_header_len += TCPOLEN_MD5SIG_ALIGNED;
 #endif
 	if (skb->len >= TCP_MSS_DEFAULT + newtp->tcp_header_len)