From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Patrick McHardy <kaber@trash.net>
Subject: [patch 28/47] netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK
Date: Tue, 22 Jul 2008 16:16:29 -0700 [thread overview]
Message-ID: <20080722231629.GC8282@suse.de> (raw)
In-Reply-To: <20080722231342.GA8282@suse.de>
[-- Attachment #1: netfilter-nf_conntrack_tcp-fixing-to-check-the-lower-bound-of-valid-ack.patch --]
[-- Type: text/plain, Size: 3284 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Upstream commit 84ebe1c:
Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on
the netfilter mailing list (see the thread "Weird nat/conntrack Problem
with PASV FTP upload"). He provided tcpdump recordings which helped to
find a long lingering bug in conntrack.
In TCP connection tracking, checking the lower bound of valid ACK could
lead to mark valid packets as INVALID because:
- We have got a "higher or equal" inequality, but the test checked
the "higher" condition only; fixed.
- If the packet contains a SACK option, it could occur that the ACK
value was before the left edge of our (S)ACK "window": if a previous
packet from the other party intersected the right edge of the window
of the receiver, we could move forward the window parameters beyond
accepting a valid ack. Therefore in this patch we check the rightmost
SACK edge instead of the ACK value in the lower bound of valid (S)ACK
test.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/netfilter/nf_conntrack_proto_tcp.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -332,12 +332,13 @@ static unsigned int get_conntrack_index(
I. Upper bound for valid data: seq <= sender.td_maxend
II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
- III. Upper bound for valid ack: sack <= receiver.td_end
- IV. Lower bound for valid ack: ack >= receiver.td_end - MAXACKWINDOW
+ III. Upper bound for valid (s)ack: sack <= receiver.td_end
+ IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW
- where sack is the highest right edge of sack block found in the packet.
+ where sack is the highest right edge of sack block found in the packet
+ or ack in the case of packet without SACK option.
- The upper bound limit for a valid ack is not ignored -
+ The upper bound limit for a valid (s)ack is not ignored -
we doesn't have to deal with fragments.
*/
@@ -607,12 +608,12 @@ static int tcp_in_window(const struct nf
before(seq, sender->td_maxend + 1),
after(end, sender->td_end - receiver->td_maxwin - 1),
before(sack, receiver->td_end + 1),
- after(ack, receiver->td_end - MAXACKWINDOW(sender)));
+ after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
if (before(seq, sender->td_maxend + 1) &&
after(end, sender->td_end - receiver->td_maxwin - 1) &&
before(sack, receiver->td_end + 1) &&
- after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
+ after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
/*
* Take into account window scaling (RFC 1323).
*/
--
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Patrick McHardy <kaber@trash.net>
Subject: [patch 28/47] netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK
Date: Tue, 22 Jul 2008 16:16:29 -0700 [thread overview]
Message-ID: <20080722231629.GC8282@suse.de> (raw)
In-Reply-To: <20080722231342.GA8282@suse.de>
[-- Attachment #1: netfilter-nf_conntrack_tcp-fixing-to-check-the-lower-bound-of-valid-ack.patch --]
[-- Type: text/plain, Size: 3010 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Upstream commit 84ebe1c:
Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on
the netfilter mailing list (see the thread "Weird nat/conntrack Problem
with PASV FTP upload"). He provided tcpdump recordings which helped to
find a long lingering bug in conntrack.
In TCP connection tracking, checking the lower bound of valid ACK could
lead to mark valid packets as INVALID because:
- We have got a "higher or equal" inequality, but the test checked
the "higher" condition only; fixed.
- If the packet contains a SACK option, it could occur that the ACK
value was before the left edge of our (S)ACK "window": if a previous
packet from the other party intersected the right edge of the window
of the receiver, we could move forward the window parameters beyond
accepting a valid ack. Therefore in this patch we check the rightmost
SACK edge instead of the ACK value in the lower bound of valid (S)ACK
test.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/netfilter/nf_conntrack_proto_tcp.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -332,12 +332,13 @@ static unsigned int get_conntrack_index(
I. Upper bound for valid data: seq <= sender.td_maxend
II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
- III. Upper bound for valid ack: sack <= receiver.td_end
- IV. Lower bound for valid ack: ack >= receiver.td_end - MAXACKWINDOW
+ III. Upper bound for valid (s)ack: sack <= receiver.td_end
+ IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW
- where sack is the highest right edge of sack block found in the packet.
+ where sack is the highest right edge of sack block found in the packet
+ or ack in the case of packet without SACK option.
- The upper bound limit for a valid ack is not ignored -
+ The upper bound limit for a valid (s)ack is not ignored -
we doesn't have to deal with fragments.
*/
@@ -607,12 +608,12 @@ static int tcp_in_window(const struct nf
before(seq, sender->td_maxend + 1),
after(end, sender->td_end - receiver->td_maxwin - 1),
before(sack, receiver->td_end + 1),
- after(ack, receiver->td_end - MAXACKWINDOW(sender)));
+ after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
if (before(seq, sender->td_maxend + 1) &&
after(end, sender->td_end - receiver->td_maxwin - 1) &&
before(sack, receiver->td_end + 1) &&
- after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
+ after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
/*
* Take into account window scaling (RFC 1323).
*/
--
next prev parent reply other threads:[~2008-07-22 23:19 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080722230208.148102983@mini.kroah.org>
2008-07-22 23:13 ` [patch 00/47] 2.6.25-stable review Greg KH
2008-07-22 23:14 ` [patch 01/47] b43legacy: Do not return TX_BUSY from op_tx Greg KH
2008-07-22 23:14 ` Greg KH
2008-07-22 23:14 ` [patch 02/47] b43: " Greg KH
2008-07-22 23:14 ` Greg KH
2008-07-22 23:14 ` [patch 03/47] b43: Fix possible MMIO access while device is down Greg KH
2008-07-22 23:14 ` Greg KH
2008-07-22 23:14 ` [patch 04/47] mac80211: detect driver tx bugs Greg KH
2008-07-22 23:14 ` Greg KH
2008-07-22 23:14 ` [patch 05/47] block: Fix the starving writes bug in the anticipatory IO scheduler Greg KH
2008-07-22 23:14 ` [patch 06/47] md: Fix error paths if md_probe fails Greg KH
2008-07-22 23:14 ` [patch 07/47] md: Dont acknowlege that stripe-expand is complete until it really is Greg KH
2008-07-22 23:14 ` [patch 08/47] md: Ensure interrupted recovery completed properly (v1 metadata plus bitmap) Greg KH
2008-07-22 23:14 ` [patch 09/47] block: Properly notify block layer of sync writes Greg KH
2008-07-22 23:14 ` [patch 10/47] OHCI: Fix problem if SM501 and another platform driver is selected Greg KH
2008-07-22 23:14 ` [patch 11/47] USB: ehci - fix timer regression Greg KH
2008-07-22 23:14 ` [patch 12/47] USB: ohci - record data toggle after unlink Greg KH
2008-07-22 23:15 ` [patch 13/47] USB: fix interrupt disabling for HCDs with shared interrupt handlers Greg KH
2008-07-22 23:15 ` [patch 14/47] hdaps: add support for various newer Lenovo thinkpads Greg KH
2008-07-22 23:15 ` [patch 15/47] b43legacy: Fix possible NULL pointer dereference in DMA code Greg KH
2008-07-22 23:15 ` [patch 16/47] netdrvr: 3c59x: remove irqs_disabled warning from local_bh_enable Greg KH
2008-07-22 23:15 ` [patch 17/47] SCSI: esp: Fix OOPS in esp_reset_cleanup() Greg KH
2008-07-22 23:15 ` [patch 18/47] SCSI: esp: tidy up target reference counting Greg KH
2008-07-22 23:15 ` [patch 19/47] SCSI: ses: Fix timeout Greg KH
2008-07-22 23:16 ` [patch 20/47] mm: switch node meminfo Active & Inactive pages to Kbytes Greg KH
2008-07-22 23:16 ` [patch 21/47] reiserfs: discard prealloc in reiserfs_delete_inode Greg KH
2008-07-22 23:16 ` [patch 22/47] cciss: read config to obtain max outstanding commands per controller Greg KH
2008-07-22 23:16 ` [patch 23/47] serial: fix serial_match_port() for dynamic major tty-device numbers Greg KH
2008-07-22 23:16 ` [patch 24/47] can: add sanity checks Greg KH
2008-07-22 23:16 ` [patch 25/47] sisusbvga: Fix oops on disconnect Greg KH
2008-07-22 23:16 ` [patch 26/47] md: ensure all blocks are uptodate or locked when syncing Greg KH
2008-07-22 23:16 ` [patch 27/47] textsearch: fix Boyer-Moore text search bug Greg KH
2008-07-22 23:16 ` Greg KH [this message]
2008-07-22 23:16 ` [patch 28/47] netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK Greg KH
2008-07-22 23:16 ` [patch 29/47] zd1211rw: add ID for AirTies WUS-201 Greg KH
2008-07-22 23:16 ` [patch 30/47] exec: fix stack excutability without PT_GNU_STACK Greg KH
2008-07-22 23:16 ` [patch 31/47] slub: Fix use-after-preempt of per-CPU data structure Greg KH
2008-07-22 23:16 ` [patch 32/47] rtc: fix reported IRQ rate for when HPET is enabled Greg KH
2008-07-22 23:16 ` [patch 33/47] rapidio: fix device reference counting Greg KH
2008-07-22 23:16 ` [patch 34/47] tpm: add Intel TPM TIS device HID Greg KH
2008-07-22 23:16 ` [patch 35/47] cifs: fix wksidarr declaration to be big-endian friendly Greg KH
2008-07-22 23:16 ` [patch 36/47] ov7670: clean up ov7670_read semantics Greg KH
2008-07-22 23:17 ` [patch 37/47] serial8250: sanity check nr_uarts on all paths Greg KH
2008-07-22 23:17 ` [patch 38/47] fbdev: bugfix for multiprocess defio Greg KH
2008-07-22 23:17 ` [patch 39/47] drivers/isdn/i4l/isdn_common.c fix small resource leak Greg KH
2008-07-22 23:17 ` [patch 40/47] drivers/char/pcmcia/ipwireless/hardware.c fix " Greg KH
2008-07-22 23:17 ` [patch 41/47] SCSI: mptspi: fix oops in mptspi_dv_renegotiate_work() Greg KH
2008-07-22 23:17 ` [patch 42/47] crypto: chainiv - Invoke completion function Greg KH
2008-07-22 23:17 ` [patch 43/47] powerpc: Add missing reference to coherent_dma_mask Greg KH
2008-07-22 23:17 ` [patch 44/47] pxamci: fix byte aligned DMA transfers Greg KH
2008-07-23 7:01 ` pHilipp Zabel
2008-07-23 20:12 ` [stable] " Greg KH
2008-07-23 20:24 ` Linus Torvalds
2008-07-23 20:32 ` Greg KH
2008-07-24 10:33 ` pHilipp Zabel
2008-07-24 15:05 ` Greg KH
2008-07-24 19:22 ` Linus Torvalds
2008-07-24 20:34 ` Pierre Ossman
2008-07-22 23:17 ` [patch 45/47] mmc: dont use DMA on newer ENE controllers Greg KH
2008-07-22 23:17 ` [patch 46/47] hrtimer: prevent migration for raising softirq Greg KH
2008-07-22 23:17 ` [patch 47/47] V4L/DVB (7475): Added support for Terratec Cinergy T USB XXS Greg KH
2008-07-23 4:42 ` [patch 00/47] 2.6.25-stable review Michael Krufky
2008-07-23 4:51 ` Michael Krufky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080722231629.GC8282@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.