From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] tcp md5sig: Use skb's saddr when replying to an incoming segment Date: Tue, 12 Dec 2017 11:21:19 -0500 (EST) Message-ID: <20171212.112119.160806066229814761.davem@davemloft.net> References: <20171211080546.89418-1-cpaasch@apple.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: cpaasch@apple.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:51794 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752161AbdLLQVc (ORCPT ); Tue, 12 Dec 2017 11:21:32 -0500 In-Reply-To: <20171211080546.89418-1-cpaasch@apple.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Christoph Paasch Date: Mon, 11 Dec 2017 00:05:46 -0800 > The MD5-key that belongs to a connection is identified by the peer's > IP-address. When we are in tcp_v4(6)_reqsk_send_ack(), we are replying > to an incoming segment from tcp_check_req() that failed the seq-number > checks. > > Thus, to find the correct key, we need to use the skb's saddr and not > the daddr. > > This bug seems to have been there since quite a while, but probably got > unnoticed because the consequences are not catastrophic. We will call > tcp_v4_reqsk_send_ack only to send a challenge-ACK back to the peer, > thus the connection doesn't really fail. > > Fixes: 9501f9722922 ("tcp md5sig: Let the caller pass appropriate key for tcp_v{4,6}_do_calc_md5_hash().") > Signed-off-by: Christoph Paasch Applied and queued up for -stable, thanks.