From: Guillaume Nault <gnault@redhat.com>
To: David Miller <davem@davemloft.net>,
Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Arnd Bergmann <arnd@arndb.de>
Subject: [PATCH net v2 0/2] tcp: fix handling of stale syncookies timestamps
Date: Thu, 5 Dec 2019 01:58:58 +0100 [thread overview]
Message-ID: <cover.1575503545.git.gnault@redhat.com> (raw)
The synflood timestamps (->ts_recent_stamp and ->synq_overflow_ts) are
only refreshed when the syncookie protection triggers. Therefore, their
value can become very far apart from jiffies if no synflood happens for
a long time.
If jiffies grows too much and wraps while the synflood timestamp isn't
refreshed, then time_after32() might consider the later to be in the
future. This can trick tcp_synq_no_recent_overflow() into returning
erroneous values and rejecting valid ACKs.
Patch 1 handles the case of ACKs using legitimate syncookies.
Patch 2 handles the case of stray ACKs.
Changes from v1:
- Initialising timestamps at socket creation time is not enough
because jiffies wraps in 24 days with HZ=1000 (Eric Dumazet).
Handle stale timestamps in tcp_synq_overflow() and
tcp_synq_no_recent_overflow() instead.
- Rework commit description.
- Add a second patch to handle the case of stray ACKs.
Guillaume Nault (2):
tcp: fix rejected syncookies due to stale timestamps
tcp: tighten acceptance of ACKs not matching a child socket
include/net/tcp.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--
@DaveM, I'm sending both patches in one series as they logically fit
together, although patch 2 is arguably a performance optimisation. I
can drop it from the series and repost it when net-next reopens if
you prefer. Although that'd make the link between the two less obvious.
next reply other threads:[~2019-12-05 0:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-05 0:58 Guillaume Nault [this message]
2019-12-05 0:59 ` [PATCH net v2 1/2] tcp: fix rejected syncookies due to stale timestamps Guillaume Nault
2019-12-05 0:59 ` [PATCH net v2 2/2] tcp: tighten acceptance of ACKs not matching a child socket Guillaume Nault
2019-12-05 3:08 ` Eric Dumazet
2019-12-05 18:00 ` Guillaume Nault
2019-12-05 18:14 ` Eric Dumazet
2019-12-05 19:22 ` Guillaume Nault
2019-12-05 19:30 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1575503545.git.gnault@redhat.com \
--to=gnault@redhat.com \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jakub.kicinski@netronome.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.