From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xin Long <lucien.xin@gmail.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 21/38] netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new
Date: Wed, 7 Feb 2024 16:23:07 -0500 [thread overview]
Message-ID: <20240207212337.2351-21-sashal@kernel.org> (raw)
In-Reply-To: <20240207212337.2351-1-sashal@kernel.org>
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 6e348067ee4bc5905e35faa3a8fafa91c9124bc7 ]
The annotation says in sctp_new(): "If it is a shutdown ack OOTB packet, we
expect a return shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8)".
However, it does not check SCTP_CID_SHUTDOWN_ACK before setting vtag[REPLY]
in the conntrack entry(ct).
Because of that, if the ct in Router disappears for some reason in [1]
with the packet sequence like below:
Client > Server: sctp (1) [INIT] [init tag: 3201533963]
Server > Client: sctp (1) [INIT ACK] [init tag: 972498433]
Client > Server: sctp (1) [COOKIE ECHO]
Server > Client: sctp (1) [COOKIE ACK]
Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057809]
Server > Client: sctp (1) [SACK] [cum ack 3075057809]
Server > Client: sctp (1) [HB REQ]
(the ct in Router disappears somehow) <-------- [1]
Client > Server: sctp (1) [HB ACK]
Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057810]
Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057810]
Client > Server: sctp (1) [HB REQ]
Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057810]
Client > Server: sctp (1) [HB REQ]
Client > Server: sctp (1) [ABORT]
when processing HB ACK packet in Router it calls sctp_new() to initialize
the new ct with vtag[REPLY] set to HB_ACK packet's vtag.
Later when sending DATA from Client, all the SACKs from Server will get
dropped in Router, as the SACK packet's vtag does not match vtag[REPLY]
in the ct. The worst thing is the vtag in this ct will never get fixed
by the upcoming packets from Server.
This patch fixes it by checking SCTP_CID_SHUTDOWN_ACK before setting
vtag[REPLY] in the ct in sctp_new() as the annotation says. With this
fix, it will leave vtag[REPLY] in ct to 0 in the case above, and the
next HB REQ/ACK from Server is able to fix the vtag as its value is 0
in nf_conntrack_sctp_packet().
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index c6bd533983c1..4cc97f971264 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -283,7 +283,7 @@ sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
pr_debug("Setting vtag %x for secondary conntrack\n",
sh->vtag);
ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
- } else {
+ } else if (sch->type == SCTP_CID_SHUTDOWN_ACK) {
/* If it is a shutdown ack OOTB packet, we expect a return
shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
pr_debug("Setting vtag %x for new conn OOTB\n",
--
2.43.0
next prev parent reply other threads:[~2024-02-07 21:24 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-07 21:22 [PATCH AUTOSEL 6.6 01/38] ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 02/38] ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 03/38] ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 04/38] Input: goodix - accept ACPI resources with gpio_count == 3 && gpio_int_idx == 0 Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 05/38] dmaengine: ti: edma: Add some null pointer checks to the edma_probe Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 06/38] ASoC: amd: acp: Add check for cpu dai link initialization Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 07/38] ASoC: codecs: wcd934x: drop unneeded regulator include Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 08/38] regulator: pwm-regulator: Add validity checks in continuous .get_voltage Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 09/38] HID: logitech-hidpp: add support for Logitech G Pro X Superlight 2 Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 10/38] ALSA: hda: Replace numeric device IDs with constant values Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 11/38] ALSA: hda: Increase default bdl_pos_adj for Apollo Lake Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 12/38] HID: nvidia-shield: Add missing null pointer checks to LED initialization Sasha Levin
2024-02-07 21:22 ` [PATCH AUTOSEL 6.6 13/38] nvmet-tcp: fix nvme tcp ida memory leak Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 14/38] usb: ucsi_acpi: Quirk to ack a connector change ack cmd Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 15/38] ALSA: usb-audio: Check presence of valid altsetting control Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 16/38] ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616 Sasha Levin
2024-02-07 21:23 ` Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 17/38] regulator (max5970): Fix IRQ handler Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 18/38] spi: sh-msiof: avoid integer overflow in constants Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 19/38] Input: xpad - add Lenovo Legion Go controllers Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 20/38] misc: open-dice: Fix spurious lockdep warning Sasha Levin
2024-02-07 21:23 ` Sasha Levin [this message]
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 22/38] drm/amdkfd: Use correct drm device for cgroup permission check Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 23/38] drm/amd/display: increased min_dcfclk_mhz and min_fclk_mhz Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 24/38] cifs: make sure that channel scaling is done only once Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 25/38] ASoC: wm_adsp: Don't overwrite fwf_name with the default Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 26/38] ALSA: usb-audio: Ignore clock selector errors for single connection Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 27/38] nvme-fc: do not wait in vain when unloading module Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 28/38] nvmet-fcloop: swap the list_add_tail arguments Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 29/38] nvmet-fc: release reference on target port Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 30/38] nvmet-fc: defer cleanup using RCU properly Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 31/38] nvmet-fc: hold reference on hostport match Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 32/38] nvmet-fc: abort command when there is no binding Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 33/38] nvmet-fc: avoid deadlock on delete association path Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 34/38] nvmet-fc: take ref count on tgtport before delete assoc Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 35/38] cifs: do not search for channel if server is terminating Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 36/38] smb: client: increase number of PDUs allowed in a compound request Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 37/38] ext4: correct the hole length returned by ext4_map_blocks() Sasha Levin
2024-02-07 21:23 ` [PATCH AUTOSEL 6.6 38/38] Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240207212337.2351-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.