This is a note to let you know that I've just added the patch titled
tcp: tcp_replace_ts_recent() should not be called from
tcp_validate_incoming()
to the 3.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-tcp_replace_ts_recent-should-not-be-called-from-tcp_validate_incoming.patch
and it can be found in the queue-3.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From e5cf6017a12d2941a9b98ef7e50aa3816d98ee6a Mon Sep 17 00:00:00 2001
From: Eric Dumazet <eduma...@google.com>
Date: Tue, 13 Nov 2012 05:37:18 +0000
Subject: tcp: tcp_replace_ts_recent() should not be called from
tcp_validate_incoming()
From: Eric Dumazet <eduma...@google.com>
[ Upstream commit bd090dfc634ddd711a5fbd0cadc6e0ab4977bcaf ]
We added support for RFC 5961 in latest kernels but TCP fails
to perform exhaustive check of ACK sequence.
We can update our view of peer tsval from a frame that is
later discarded by tcp_ack()
This makes timestamps enabled sessions vulnerable to injection of
a high tsval : peers start an ACK storm, since the victim
sends a dupack each time it receives an ACK from the other peer.
As tcp_validate_incoming() is called before tcp_ack(), we should
not peform tcp_replace_ts_recent() from it, and let callers do it
at the right time.
Signed-off-by: Eric Dumazet <eduma...@google.com>
Cc: Neal Cardwell <ncardw...@google.com>
Cc: Yuchung Cheng <ych...@google.com>
Cc: Nandita Dukkipati <nandi...@google.com>
Cc: H.K. Jerry Chu <hk...@google.com>
Cc: Romain Francoise <rom...@orebokech.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
net/ipv4/tcp_input.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5237,11 +5237,6 @@ static bool tcp_validate_incoming(struct
goto discard;
}
- /* ts_recent update must be made after we are sure that the packet
- * is in window.
- */
- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
-
/* step 3: check security and precedence [ignored] */
/* step 4: Check for a SYN
@@ -5476,6 +5471,11 @@ step5:
if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
goto discard;
+ /* ts_recent update must be made after we are sure that the packet
+ * is in window.
+ */
+ tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+
tcp_rcv_rtt_measure_ts(sk, skb);
/* Process urgent data. */
@@ -5952,6 +5952,11 @@ int tcp_rcv_state_process(struct sock *s
} else
goto discard;
+ /* ts_recent update must be made after we are sure that the packet
+ * is in window.
+ */
+ tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+
/* step 6: check the URG bit */
tcp_urg(sk, skb, th);
Patches currently in stable-queue which might be from eduma...@google.com are
queue-3.0/tcp-implement-rfc-5961-4.2.patch
queue-3.0/tcp-implement-rfc-5961-3.2.patch
queue-3.0/tcp-rfc-5961-5.2-blind-data-injection-attack-mitigation.patch
queue-3.0/tcp-refine-syn-handling-in-tcp_validate_incoming.patch
queue-3.0/tcp-tcp_replace_ts_recent-should-not-be-called-from-tcp_validate_incoming.patch
queue-3.0/net-sched-integer-overflow-fix.patch
queue-3.0/bonding-bonding-driver-does-not-consider-the-gso_max_size-gso_max_segs-setting-of-slave-devices.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
