[PATCH AUTOSEL 5.10 09/16] netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xin Long <lucien.xin@gmail.com>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Sasha Levin <sashal@kernel.org>,
	kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net,
	edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 09/16] netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new
Date: Wed,  7 Feb 2024 16:26:49 -0500	[thread overview]
Message-ID: <20240207212700.4287-9-sashal@kernel.org> (raw)
In-Reply-To: <20240207212700.4287-1-sashal@kernel.org>

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 6e348067ee4bc5905e35faa3a8fafa91c9124bc7 ]

The annotation says in sctp_new(): "If it is a shutdown ack OOTB packet, we
expect a return shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8)".
However, it does not check SCTP_CID_SHUTDOWN_ACK before setting vtag[REPLY]
in the conntrack entry(ct).

Because of that, if the ct in Router disappears for some reason in [1]
with the packet sequence like below:

   Client > Server: sctp (1) [INIT] [init tag: 3201533963]
   Server > Client: sctp (1) [INIT ACK] [init tag: 972498433]
   Client > Server: sctp (1) [COOKIE ECHO]
   Server > Client: sctp (1) [COOKIE ACK]
   Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057809]
   Server > Client: sctp (1) [SACK] [cum ack 3075057809]
   Server > Client: sctp (1) [HB REQ]
   (the ct in Router disappears somehow)  <-------- [1]
   Client > Server: sctp (1) [HB ACK]
   Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057810]
   Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057810]
   Client > Server: sctp (1) [HB REQ]
   Client > Server: sctp (1) [DATA] (B)(E) [TSN: 3075057810]
   Client > Server: sctp (1) [HB REQ]
   Client > Server: sctp (1) [ABORT]

when processing HB ACK packet in Router it calls sctp_new() to initialize
the new ct with vtag[REPLY] set to HB_ACK packet's vtag.

Later when sending DATA from Client, all the SACKs from Server will get
dropped in Router, as the SACK packet's vtag does not match vtag[REPLY]
in the ct. The worst thing is the vtag in this ct will never get fixed
by the upcoming packets from Server.

This patch fixes it by checking SCTP_CID_SHUTDOWN_ACK before setting
vtag[REPLY] in the ct in sctp_new() as the annotation says. With this
fix, it will leave vtag[REPLY] in ct to 0 in the case above, and the
next HB REQ/ACK from Server is able to fix the vtag as its value is 0
in nf_conntrack_sctp_packet().

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index e7545bcca805..6b2a215b2786 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -299,7 +299,7 @@ sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
 			pr_debug("Setting vtag %x for secondary conntrack\n",
 				 sh->vtag);
 			ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = sh->vtag;
-		} else {
+		} else if (sch->type == SCTP_CID_SHUTDOWN_ACK) {
 		/* If it is a shutdown ack OOTB packet, we expect a return
 		   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 			pr_debug("Setting vtag %x for new conn OOTB\n",
-- 
2.43.0

next prev parent reply	other threads:[~2024-02-07 21:27 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-07 21:26 [PATCH AUTOSEL 5.10 01/16] ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 02/16] ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 03/16] dmaengine: ti: edma: Add some null pointer checks to the edma_probe Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 04/16] ASoC: codecs: wcd934x: drop unneeded regulator include Sasha Levin
2024-02-18 19:10   ` Pavel Machek
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 05/16] regulator: pwm-regulator: Add validity checks in continuous .get_voltage Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 06/16] nvmet-tcp: fix nvme tcp ida memory leak Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 07/16] ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616 Sasha Levin
2024-02-07 21:26   ` Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 08/16] spi: sh-msiof: avoid integer overflow in constants Sasha Levin
2024-02-07 21:26 ` Sasha Levin [this message]
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 10/16] nvme-fc: do not wait in vain when unloading module Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 11/16] nvmet-fcloop: swap the list_add_tail arguments Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 12/16] nvmet-fc: release reference on target port Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 13/16] nvmet-fc: do not tack refs on tgtports from assoc Sasha Levin
2024-02-18 19:08   ` Pavel Machek
2024-02-22 12:24     ` Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 14/16] nvmet-fc: abort command when there is no binding Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 15/16] ext4: correct the hole length returned by ext4_map_blocks() Sasha Levin
2024-02-07 21:26 ` [PATCH AUTOSEL 5.10 16/16] Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e7545bcca80 dfblob:6b2a215b278 )
 OR (
bs:"[PATCH AUTOSEL 5.10 09/16] netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240207212700.4287-9-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.