mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-04 12:16:41 +00:00
tcp: add a missing nf_reset_ct() in 3WHS handling
When the third packet of 3WHS connection establishment contains payload, it is added into socket receive queue without the XFRM check and the drop of connection tracking context. This means that if the data is left unread in the socket receive queue, conntrack module can not be unloaded. As most applications usually reads the incoming data immediately after accept(), bug has been hiding for quite a long time. Commit68822bdf76
("net: generalize skb freeing deferral to per-cpu lists") exposed this bug because even if the application reads this data, the skb with nfct state could stay in a per-cpu cache for an arbitrary time, if said cpu no longer process RX softirqs. Many thanks to Ilya Maximets for reporting this issue, and for testing various patches: https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/ Note that I also added a missing xfrm4_policy_check() call, although this is probably not a big issue, as the SYN packet should have been dropped earlier. Fixes:b59c270104
("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done") Reported-by: Ilya Maximets <i.maximets@ovn.org> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Florian Westphal <fw@strlen.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Steffen Klassert <steffen.klassert@secunet.com> Tested-by: Ilya Maximets <i.maximets@ovn.org> Reviewed-by: Ilya Maximets <i.maximets@ovn.org> Link: https://lore.kernel.org/r/20220623050436.1290307-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
parent
935336c191
commit
6f0012e351
@ -1964,7 +1964,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
|
||||
struct sock *nsk;
|
||||
|
||||
sk = req->rsk_listener;
|
||||
drop_reason = tcp_inbound_md5_hash(sk, skb,
|
||||
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
|
||||
drop_reason = SKB_DROP_REASON_XFRM_POLICY;
|
||||
else
|
||||
drop_reason = tcp_inbound_md5_hash(sk, skb,
|
||||
&iph->saddr, &iph->daddr,
|
||||
AF_INET, dif, sdif);
|
||||
if (unlikely(drop_reason)) {
|
||||
@ -2016,6 +2019,7 @@ int tcp_v4_rcv(struct sk_buff *skb)
|
||||
}
|
||||
goto discard_and_relse;
|
||||
}
|
||||
nf_reset_ct(skb);
|
||||
if (nsk == sk) {
|
||||
reqsk_put(req);
|
||||
tcp_v4_restore_cb(skb);
|
||||
|
Loading…
Reference in New Issue
Block a user