All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Eric Dumazet <edumazet@google.com>,
	Kiran Kumar Kella <kkiran@broadcom.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [ 40/49] tcp: implement RFC 5961 3.2
Date: Sun, 13 Jan 2013 17:43:35 +0000	[thread overview]
Message-ID: <20130113174304.168405660@decadent.org.uk> (raw)
In-Reply-To: <20130113174255.736888844@decadent.org.uk>

3.2-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 282f23c6ee343126156dd41218b22ece96d747e3 ]

Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Documentation/networking/ip-sysctl.txt |  5 +++++
 include/linux/snmp.h                   |  1 +
 include/net/tcp.h                      |  1 +
 net/ipv4/proc.c                        |  1 +
 net/ipv4/sysctl_net_ipv4.c             |  7 +++++++
 net/ipv4/tcp_input.c                   | 31 ++++++++++++++++++++++++++++++-
 6 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index a4399f5..3b979c6 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -524,6 +524,11 @@ tcp_thin_dupack - BOOLEAN
 	Documentation/networking/tcp-thin.txt
 	Default: 0
 
+tcp_challenge_ack_limit - INTEGER
+	Limits number of Challenge ACK sent per second, as recommended
+	in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
+	Default: 100
+
 UDP variables:
 
 udp_mem - vector of 3 INTEGERs: min, pressure, max
diff --git a/include/linux/snmp.h b/include/linux/snmp.h
index e16557a..6e310bb 100644
--- a/include/linux/snmp.h
+++ b/include/linux/snmp.h
@@ -233,6 +233,7 @@ enum
 	LINUX_MIB_TCPTIMEWAITOVERFLOW,		/* TCPTimeWaitOverflow */
 	LINUX_MIB_TCPREQQFULLDOCOOKIES,		/* TCPReqQFullDoCookies */
 	LINUX_MIB_TCPREQQFULLDROP,		/* TCPReqQFullDrop */
+	LINUX_MIB_TCPCHALLENGEACK,		/* TCPChallengeACK */
 	__LINUX_MIB_MAX
 };
 
diff --git a/include/net/tcp.h b/include/net/tcp.h
index bb18c4d..0768715 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -251,6 +251,7 @@ extern int sysctl_tcp_max_ssthresh;
 extern int sysctl_tcp_cookie_size;
 extern int sysctl_tcp_thin_linear_timeouts;
 extern int sysctl_tcp_thin_dupack;
+extern int sysctl_tcp_challenge_ack_limit;
 
 extern atomic_long_t tcp_memory_allocated;
 extern struct percpu_counter tcp_sockets_allocated;
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index 466ea8b..f46c478 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -257,6 +257,7 @@ static const struct snmp_mib snmp4_net_list[] = {
 	SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW),
 	SNMP_MIB_ITEM("TCPReqQFullDoCookies", LINUX_MIB_TCPREQQFULLDOCOOKIES),
 	SNMP_MIB_ITEM("TCPReqQFullDrop", LINUX_MIB_TCPREQQFULLDROP),
+	SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
 	SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 69fd720..5485077 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -552,6 +552,13 @@ static struct ctl_table ipv4_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+	{
+		.procname	= "tcp_challenge_ack_limit",
+		.data		= &sysctl_tcp_challenge_ack_limit,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 #ifdef CONFIG_NET_DMA
 	{
 		.procname	= "tcp_dma_copybreak",
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a08a621..a0d3b88 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -86,6 +86,9 @@ int sysctl_tcp_app_win __read_mostly = 31;
 int sysctl_tcp_adv_win_scale __read_mostly = 1;
 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
 
+/* rfc5961 challenge ack rate limiting */
+int sysctl_tcp_challenge_ack_limit = 100;
+
 int sysctl_tcp_stdurg __read_mostly;
 int sysctl_tcp_rfc1337 __read_mostly;
 int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
@@ -5240,6 +5243,23 @@ out:
 }
 #endif /* CONFIG_NET_DMA */
 
+static void tcp_send_challenge_ack(struct sock *sk)
+{
+	/* unprotected vars, we dont care of overwrites */
+	static u32 challenge_timestamp;
+	static unsigned int challenge_count;
+	u32 now = jiffies / HZ;
+
+	if (now != challenge_timestamp) {
+		challenge_timestamp = now;
+		challenge_count = 0;
+	}
+	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+		tcp_send_ack(sk);
+	}
+}
+
 /* Does PAWS and seqno based validation of an incoming segment, flags will
  * play significant role here.
  */
@@ -5276,7 +5296,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 
 	/* Step 2: check RST bit */
 	if (th->rst) {
-		tcp_reset(sk);
+		/* RFC 5961 3.2 :
+		 * If sequence number exactly matches RCV.NXT, then
+		 *     RESET the connection
+		 * else
+		 *     Send a challenge ACK
+		 */
+		if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt)
+			tcp_reset(sk);
+		else
+			tcp_send_challenge_ack(sk);
 		goto discard;
 	}
 



  parent reply	other threads:[~2013-01-13 17:45 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-01-13 17:42 [ 00/49] 3.2.37-stable review Ben Hutchings
2013-01-13 17:42 ` [ 01/49] ext4: fix extent tree corruption caused by hole punch Ben Hutchings
2013-01-13 17:42 ` [ 02/49] i915: ensure that VGA plane is disabled Ben Hutchings
2013-01-13 17:42 ` [ 03/49] ext4: check dioread_nolock on remount Ben Hutchings
2013-01-13 17:42 ` [ 04/49] jbd2: fix assertion failure in jbd2_journal_flush() Ben Hutchings
2013-01-13 17:43 ` [ 05/49] hwmon: (lm73} Detect and report i2c bus errors Ben Hutchings
2013-01-13 17:43 ` [ 06/49] ext4: do not try to write superblock on ro remount w/o journal Ben Hutchings
2013-01-13 17:43 ` [ 07/49] PCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz Ben Hutchings
2013-01-13 17:43 ` [ 08/49] mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED Ben Hutchings
2013-01-13 17:43 ` [ 09/49] cifs: adjust sequence number downward after signing NT_CANCEL request Ben Hutchings
2013-01-13 17:43 ` [ 10/49] tmpfs mempolicy: fix /proc/mounts corrupting memory Ben Hutchings
2013-01-13 17:43 ` [ 11/49] p54usb: add USB ID for T-Com Sinus 154 data II Ben Hutchings
2013-01-13 17:43 ` [ 12/49] ath9k_hw: Fix RX gain initvals for AR9485 Ben Hutchings
2013-01-13 17:43 ` [ 13/49] p54usb: add USBIDs for two more p54usb devices Ben Hutchings
2013-01-13 17:43 ` [ 14/49] powerpc/vdso: Remove redundant locking in update_vsyscall_tz() Ben Hutchings
2013-01-13 17:43 ` [ 15/49] powerpc: Add missing NULL terminator to avoid boot panic on PPC40x Ben Hutchings
2013-01-13 17:43 ` [ 16/49] drm/radeon: add connector table for SAM440ep embedded board Ben Hutchings
2013-01-13 17:43 ` [ 17/49] drm/radeon: add connector table for Mac G4 Silver Ben Hutchings
2013-01-14 18:48   ` Albrecht Dreß
2013-01-13 17:43 ` [ 18/49] drm/radeon: Properly handle DDC probe for DP bridges Ben Hutchings
2013-01-13 17:43 ` [ 19/49] NFSv4: Add ACCESS operation to OPEN compound Ben Hutchings
2013-01-15 18:42   ` Herton Ronaldo Krzesinski
2013-01-16  1:08     ` Ben Hutchings
2013-01-13 17:43 ` [ 20/49] NFSv4: dont check MAY_WRITE access bit in OPEN Ben Hutchings
2013-01-13 17:43 ` [ 21/49] NFS4: nfs4_opendata_access should return errno Ben Hutchings
2013-01-13 17:43 ` [ 22/49] NFS: Fix access to suid/sgid executables Ben Hutchings
2013-01-13 17:43 ` [ 23/49] drm/nouveau: fix init with agpgart-uninorth Ben Hutchings
2013-01-13 17:43 ` [ 24/49] video: mxsfb: fix crash when unblanking the display Ben Hutchings
2013-01-13 17:43 ` [ 25/49] nfs: fix null checking in nfs_get_option_str() Ben Hutchings
2013-01-13 17:43 ` [ 26/49] SUNRPC: Ensure that we free the rpc_task after cleanups are done Ben Hutchings
2013-01-13 17:43 ` [ 27/49] ACPI / scan: Do not use dummy HID for system bus ACPI nodes Ben Hutchings
2013-01-13 17:43 ` [ 28/49] mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT Ben Hutchings
2013-01-13 17:43 ` [ 29/49] drivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield Ben Hutchings
2013-01-13 17:43 ` [ 30/49] drivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time Ben Hutchings
2013-01-13 17:43 ` [ 31/49] udf: dont increment lenExtents while writing to a hole Ben Hutchings
2013-01-13 17:43 ` [ 32/49] epoll: prevent missed events on EPOLL_CTL_MOD Ben Hutchings
2013-01-13 17:43 ` [ 33/49] rt2x00: Dont let mac80211 send a BAR when an AMPDU subframe fails Ben Hutchings
2013-01-13 17:43 ` [ 34/49] mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL Ben Hutchings
2013-01-13 17:43 ` [ 35/49] Revert: "rt2x00: Dont let mac80211 send a BAR when an AMPDU subframe fails" Ben Hutchings
2013-01-13 17:43 ` [ 36/49] ftrace: Do not function trace inlined functions Ben Hutchings
2013-01-13 17:43 ` [ 37/49] sparc: huge_ptep_set_* functions need to call set_huge_pte_at() Ben Hutchings
2013-01-13 17:43 ` [ 38/49] inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock Ben Hutchings
2013-01-13 17:43 ` [ 39/49] net: sched: integer overflow fix Ben Hutchings
2013-01-13 17:43 ` Ben Hutchings [this message]
2013-01-13 17:43 ` [ 41/49] tcp: implement RFC 5961 4.2 Ben Hutchings
2013-01-13 17:43 ` [ 42/49] tcp: refine SYN handling in tcp_validate_incoming Ben Hutchings
2013-01-13 17:43 ` [ 43/49] tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming() Ben Hutchings
2013-01-13 17:43 ` [ 44/49] tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation Ben Hutchings
2013-01-13 17:43 ` [ 45/49] [SCSI] mvsas: Fix oops when ata commond timeout Ben Hutchings
2013-01-13 17:43 ` [ 46/49] RDMA/nes: Fix for crash when registering zero length MR for CQ Ben Hutchings
2013-01-13 17:43 ` [ 47/49] RDMA/nes: Fix for terminate timer crash Ben Hutchings
2013-01-13 17:43 ` [ 48/49] ACPI : do not use Lid and Sleep button for S5 wakeup Ben Hutchings
2013-01-13 17:43 ` [ 49/49] aoe: do not call bdi_init after blk_alloc_queue Ben Hutchings
2013-01-13 22:44 ` [ 00/49] 3.2.37-stable review Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130113174304.168405660@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kkiran@broadcom.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.