From patchwork Fri Dec 21 22:45:48 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 207895 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 82B6C2C0089 for ; Sat, 22 Dec 2012 09:45:55 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751802Ab2LUWpx (ORCPT ); Fri, 21 Dec 2012 17:45:53 -0500 Received: from mail-da0-f41.google.com ([209.85.210.41]:46792 "EHLO mail-da0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751034Ab2LUWpv (ORCPT ); Fri, 21 Dec 2012 17:45:51 -0500 Received: by mail-da0-f41.google.com with SMTP id e20so2312818dak.28 for ; Fri, 21 Dec 2012 14:45:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:subject:from:to:cc:in-reply-to:references:content-type :date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=+c9hzfca8kQLAZ7npayHN85R6vNRbxQiLOJCf4L5tfQ=; b=swAR2HzjiSwY2VOQ6uAw0I5LGskHOqLMsWqSC/uZhCWYOz3hkSeDEyQc8r94lqpb0V E8CMUnh/yIcGTe44WPKNW+gd5HrEwGmi0dilB8YuSlxXkcNJusuKkwxs18DhuCDNg7yx TesMA1566HWGa2PWcXs8DdbKfTA28h06LXKEE9DuYSTthhNPQr3d8vqv463PhAscUhWA tysiAF6QzjaLn0tepYhhyU3EpIyBnwSaABL53bgExyxbEdueMflNCdXFbf6V7zipLmKB QMIv8bjFE74OUEQUC0ZfIX7CRSqC8bCK8lvpsFaj9rObTfYw4CdOh15cbN0nYmto9seT 4XDQ== X-Received: by 10.68.192.97 with SMTP id hf1mr43549385pbc.106.1356129951385; Fri, 21 Dec 2012 14:45:51 -0800 (PST) Received: from ?IPv6:2620:0:1000:3304:224:d7ff:fee3:2a94? ([2620:0:1000:3304:224:d7ff:fee3:2a94]) by mx.google.com with ESMTPS id rk9sm7676120pbc.24.2012.12.21.14.45.49 (version=SSLv3 cipher=OTHER); Fri, 21 Dec 2012 14:45:50 -0800 (PST) Subject: Re: TCP sequence number inference attack on Linux From: Eric Dumazet To: Zhiyun Qian Cc: netdev@vger.kernel.org In-Reply-To: References: <1356114663.21834.7697.camel@edumazet-glaptop> <1356118052.21834.7793.camel@edumazet-glaptop> Date: Fri, 21 Dec 2012 14:45:48 -0800 Message-ID: <1356129948.21834.8002.camel@edumazet-glaptop> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Fri, 2012-12-21 at 14:49 -0500, Zhiyun Qian wrote: > If I am not mistaken, line 6142 in kernel v3.7.1 corresponds to > tcp_rcv_state_process(). According to the comments, "This function > implements the receiving procedure of RFC 793 for all states except > ESTABLISHED and TIME_WAIT." Are you referring to a different kernel > version? You are not mistaken, it seems code is too permissive. We should reject a frame without ACK flag while in ESTABLISHED state. Thats explicitly stated in RFC 973. Then we should make all possible safety checks before even sending a frame or changing socket variables. (For instance the tests done in tcp_ack() should be done before calling tcp_validate_incoming()) John Dykstra in commit 96e0bf4b5193d0 (tcp: Discard segments that ack data not yet sent) did a step into right direction, but missed this. Current code assumes the incoming frame is mostly legitimate. --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index a136925..2ea4937 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -5551,7 +5551,7 @@ slow_path: return 0; step5: - if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) + if (!th->ack || tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) goto discard; /* ts_recent update must be made after we are sure that the packet