From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: [PATCH net] tcp md5sig: Use skb's saddr when replying to an incoming segment Date: Mon, 11 Dec 2017 20:51:09 -0800 Message-ID: <1513054269.25033.46.camel@gmail.com> References: <20171211080546.89418-1-cpaasch@apple.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Cc: netdev@vger.kernel.org To: Christoph Paasch , David Miller Return-path: Received: from mail-pf0-f169.google.com ([209.85.192.169]:37468 "EHLO mail-pf0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751123AbdLLEvN (ORCPT ); Mon, 11 Dec 2017 23:51:13 -0500 Received: by mail-pf0-f169.google.com with SMTP id n6so13352472pfa.4 for ; Mon, 11 Dec 2017 20:51:12 -0800 (PST) In-Reply-To: <20171211080546.89418-1-cpaasch@apple.com> Sender: netdev-owner@vger.kernel.org List-ID: On Mon, 2017-12-11 at 00:05 -0800, Christoph Paasch wrote: > The MD5-key that belongs to a connection is identified by the peer's > IP-address. When we are in tcp_v4(6)_reqsk_send_ack(), we are > replying > to an incoming segment from tcp_check_req() that failed the seq- > number > checks. > > Thus, to find the correct key, we need to use the skb's saddr and not > the daddr. > > This bug seems to have been there since quite a while, but probably > got > unnoticed because the consequences are not catastrophic. We will call > tcp_v4_reqsk_send_ack only to send a challenge-ACK back to the peer, > thus the connection doesn't really fail. > > Fixes: 9501f9722922 ("tcp md5sig: Let the caller pass appropriate key > for tcp_v{4,6}_do_calc_md5_hash().") > Signed-off-by: Christoph Paasch > --- >  net/ipv4/tcp_ipv4.c | 2 +- >  net/ipv6/tcp_ipv6.c | 2 +- >  2 files changed, 2 insertions(+), 2 deletions(-) Reviewed-by: Eric Dumazet Thanks !