[net 1/1] tipc: ignore STATE_MSG on wrong link session

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [net  1/1] tipc: ignore STATE_MSG on wrong link session
@ 2018-09-26 20:28 Jon Maloy
  2018-10-02  5:36 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Jon Maloy @ 2018-09-26 20:28 UTC (permalink / raw)
  To: davem, netdev
  Cc: gordan.mihaljevic, tung.q.nguyen, hoang.h.le, jon.maloy,
	canh.d.luu, ying.xue, tipc-discussion

From: LUU Duc Canh <canh.d.luu@dektech.com.au>

The initial session number when a link is created is based on a random
value, taken from struct tipc_net->random. It is then incremented for
each link reset to avoid mixing protocol messages from different link
sessions.

However, when a bearer is reset all its links are deleted, and will
later be re-created using the same random value as the first time.
This means that if the link never went down between creation and
deletion we will still sometimes have two subsequent sessions with
the same session number. In virtual environments with potentially
long transmission times this has turned out to be a real problem.

We now fix this by randomizing the session number each time a link
is created.

With a session number size of 16 bits this gives a risk of session
collision of 1/64k. To reduce this further, we also introduce a sanity
check on the very first STATE message arriving at a link. If this has
an acknowledge value differing from 0, which is logically impossible,
we ignore the message. The final risk for session collision is hence
reduced to 1/4G, which should be sufficient.

Signed-off-by: LUU Duc Canh <canh.d.luu@dektech.com.au>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
---
 net/tipc/link.c | 3 +++
 net/tipc/node.c | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/tipc/link.c b/net/tipc/link.c
index 4ed650c..fb886b5 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1516,6 +1516,9 @@ bool tipc_link_validate_msg(struct tipc_link *l, struct tipc_msg *hdr)
 			return false;
 		if (session != curr_session)
 			return false;
+		/* Extra sanity check */
+		if (!link_is_up(l) && msg_ack(hdr))
+			return false;
 		if (!(l->peer_caps & TIPC_LINK_PROTO_SEQNO))
 			return true;
 		/* Accept only STATE with new sequence number */
diff --git a/net/tipc/node.c b/net/tipc/node.c
index b0ee25f..2afc4f8 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -913,6 +913,7 @@ void tipc_node_check_dest(struct net *net, u32 addr,
 	bool reset = true;
 	char *if_name;
 	unsigned long intv;
+	u16 session;

 	*dupl_addr = false;
 	*respond = false;
@@ -999,9 +1000,10 @@ void tipc_node_check_dest(struct net *net, u32 addr,
 			goto exit;

 		if_name = strchr(b->name, ':') + 1;
+		get_random_bytes(&session, sizeof(u16));
 		if (!tipc_link_create(net, if_name, b->identity, b->tolerance,
 				      b->net_plane, b->mtu, b->priority,
-				      b->window, mod(tipc_net(net)->random),
+				      b->window, session,
 				      tipc_own_addr(net), addr, peer_id,
 				      n->capabilities,
 				      tipc_bc_sndlink(n->net), n->bc_entry.link,
@@ -1625,7 +1627,6 @@ static bool tipc_node_check_state(struct tipc_node *n, struct sk_buff *skb,
 			tipc_link_create_dummy_tnl_msg(l, xmitq);
 			n->failover_sent = true;
 		}
-
 		/* If pkts arrive out of order, use lowest calculated syncpt */
 		if (less(syncpt, n->sync_point))
 			n->sync_point = syncpt;
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [net 1/1] tipc: ignore STATE_MSG on wrong link session
  2018-09-26 20:28 [net 1/1] tipc: ignore STATE_MSG on wrong link session Jon Maloy
@ 2018-10-02  5:36 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-10-02  5:36 UTC (permalink / raw)
  To: jon.maloy
  Cc: netdev, gordan.mihaljevic, tung.q.nguyen, hoang.h.le, canh.d.luu,
	ying.xue, tipc-discussion

From: Jon Maloy <jon.maloy@ericsson.com>
Date: Wed, 26 Sep 2018 22:28:52 +0200

> From: LUU Duc Canh <canh.d.luu@dektech.com.au>
> 
> The initial session number when a link is created is based on a random
> value, taken from struct tipc_net->random. It is then incremented for
> each link reset to avoid mixing protocol messages from different link
> sessions.
> 
> However, when a bearer is reset all its links are deleted, and will
> later be re-created using the same random value as the first time.
> This means that if the link never went down between creation and
> deletion we will still sometimes have two subsequent sessions with
> the same session number. In virtual environments with potentially
> long transmission times this has turned out to be a real problem.
> 
> We now fix this by randomizing the session number each time a link
> is created.
> 
> With a session number size of 16 bits this gives a risk of session
> collision of 1/64k. To reduce this further, we also introduce a sanity
> check on the very first STATE message arriving at a link. If this has
> an acknowledge value differing from 0, which is logically impossible,
> we ignore the message. The final risk for session collision is hence
> reduced to 1/4G, which should be sufficient.
> 
> Signed-off-by: LUU Duc Canh <canh.d.luu@dektech.com.au>
> Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>

Applied.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-10-02 12:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-09-26 20:28 [net 1/1] tipc: ignore STATE_MSG on wrong link session Jon Maloy
2018-10-02  5:36 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).