From patchwork Mon Dec 11 08:05:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 846851 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="LUQw/KcR"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ywGBG0sJHz9s71 for ; Mon, 11 Dec 2017 19:21:10 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752048AbdLKIVI (ORCPT ); Mon, 11 Dec 2017 03:21:08 -0500 Received: from mail-out4.apple.com ([17.151.62.26]:48986 "EHLO mail-in4.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750836AbdLKIVG (ORCPT ); Mon, 11 Dec 2017 03:21:06 -0500 X-Greylist: delayed 900 seconds by postgrey-1.27 at vger.kernel.org; Mon, 11 Dec 2017 03:21:05 EST DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1512979565; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=4ZJ6n0Y0Cgz3ADSu/7HdAf3LYVhasEHvPZkFcqSsMaM=; b=LUQw/KcRA3N3LFp+3p/7YdXCCdF7ZTHARzKkCwE7WR+Lnjr6gcA8gx8fcrdCgC+F b5fiptlPYHPNWhJHIW3VO14CVeOpTIPhqAFJOOstuXRaSvMd6YhdqZWFWRJad+V5 sZMzVaqr6hNdWnk7wNxhUqJiWG/3/CzFgx79GT/+E4c2Ipg+0LKWSS80jOEuYckf fvgPrsUBFhpUuIazisFLBuoc03be688kp/l4/7UdnWRvqPSL7Ak+mUt4TXjRxhbS RzFXEPuWn2W7shd5C+kOiZ/KwxPP5fzlkKxETBWbJh9oIRB87uAd4ZhVqjuwdyg7 v8apf2dwzRuRfXcRrjW8uw==; Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 2A.81.16042.D6C3E2A5; Mon, 11 Dec 2017 00:06:05 -0800 (PST) X-AuditID: 11973e12-801fd9c000003eaa-1b-5a2e3c6d7d21 Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by relay2.apple.com (Apple SCV relay) with SMTP id 26.D7.07440.D6C3E2A5; Mon, 11 Dec 2017 00:06:05 -0800 (PST) Content-transfer-encoding: 7BIT Received: from localhost ([17.234.51.233]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.1.20171102 64bit (built Nov 2 2017)) with ESMTPSA id <0P0S00MZ3EI4M730@nwk-mmpp-sz12.apple.com>; Mon, 11 Dec 2017 00:06:05 -0800 (PST) From: Christoph Paasch To: David Miller Cc: netdev@vger.kernel.org Subject: [PATCH net] tcp md5sig: Use skb's saddr when replying to an incoming segment Date: Mon, 11 Dec 2017 00:05:46 -0800 Message-id: <20171211080546.89418-1-cpaasch@apple.com> X-Mailer: git-send-email 2.15.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHJMWRmVeSWpSXmKPExsUi2FDorJtroxdl8PyhhMWc8y0sFscWiDkw eWxZeZPJ4/MmuQCmKC6blNSczLLUIn27BK6MrzOfsBcs4a+YtP4zewPjQ54uRk4OCQETibPn VrCA2EICq5kknpyPh4lvmHmVuYuRCyh+iFFi54V+1i5GDg5mAXmJg+dlIeKNTBKr9t9lBGkQ FpCU6L5zhxnEZhPQknh7u50VxBYRUJOYeGICWJxZQEri5aUZUPXhEmceb2ECsVkEVCUunn0E Np9XwExi+Vc/iBvkJRZ/38kGYR9klThwU2gCI/8shCsWMDKuYhTKTczM0c3MM9FLLCjISdVL zs/dxAgKoOl2QjsYT62yOsQowMGoxMO7YLZulBBrYllxZe4hRmkOFiVx3qtzdKKEBNITS1Kz U1MLUovii0pzUosPMTJxcEo1MCo+fd/Xqf6gR/a23DWHC/8mP2a6dmWzzySldxkWghOEyl29 7m8vPLpmzbqzJkt4xfS010sYrPzZx9aj/JfPe3fG3P62at2TXTv2TW47O0PNuuJ58/fudyGz X7rMei/+ta7MbnafbIR40KrSxpxJlT92urdoaQkpufTqrX3+8/zapbMSTLjPHlNiKc5INNRi LipOBAC8W+mOAQIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMJMWRmVeSWpSXmKPExsUi2FB8RjfXRi/KYOMGMYs551tYLI4tEHNg 8tiy8iaTx+dNcgFMUVw2Kak5mWWpRfp2CVwZX2c+YS9Ywl8xaf1n9gbGhzxdjJwcEgImEhtm XmXuYuTiEBI4xCix80I/axcjBwezgLzEwfOyEPFGJolV++8ygjQIC0hKdN+5wwxiswloSby9 3c4KYosIqElMPDEBLM4sICXx8tIMqPpwiTOPtzCB2CwCqhIXzz4Cm88rYCax/KsfxA3yEou/ 72SbwMgzC2HzAkbGVYwCRak5iZVGeokFBTmpesn5uZsYwV4vdN7BeGyZ1SFGAQ5GJR7eBbN1 o4RYE8uKK3OBXuBgVhLhNfUDCvGmJFZWpRblxxeV5qQWH2KU5mBREuc9elU9SkggPbEkNTs1 tSC1CCbLxMEp1cC44PrypbOdp8nNcLxvtGnfVybfNYJV3sI+Wg8Nrr5Prr72NvVE3xXv31LP DnfdFTv/4cbpCElX75C3ybxVv/eGWbU+sM74b9xyhUOqOXX3jMI/8vHWOrs/mHybnPCpbZtV u9cT6eVrboda+jpacgQc3PDo15N7Vf+F+H7eSKwR2XLr0FeB9S9OK7EUZyQaajEXFScCAN8r NGH2AQAA Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The MD5-key that belongs to a connection is identified by the peer's IP-address. When we are in tcp_v4(6)_reqsk_send_ack(), we are replying to an incoming segment from tcp_check_req() that failed the seq-number checks. Thus, to find the correct key, we need to use the skb's saddr and not the daddr. This bug seems to have been there since quite a while, but probably got unnoticed because the consequences are not catastrophic. We will call tcp_v4_reqsk_send_ack only to send a challenge-ACK back to the peer, thus the connection doesn't really fail. Fixes: 9501f9722922 ("tcp md5sig: Let the caller pass appropriate key for tcp_v{4,6}_do_calc_md5_hash().") Signed-off-by: Christoph Paasch Reviewed-by: Eric Dumazet --- net/ipv4/tcp_ipv4.c | 2 +- net/ipv6/tcp_ipv6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 77ea45da0fe9..94e28350f420 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -848,7 +848,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, req->ts_recent, 0, - tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr, + tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr, AF_INET), inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, ip_hdr(skb)->tos); diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 1f04ec0e4a7a..7178476b3d2f 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -994,7 +994,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, req->ts_recent, sk->sk_bound_dev_if, - tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr), + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr), 0, 0); }