[PATCH net] ipv4: Fix incorrect source address in Record Route option

[PATCH net] ipv4: Fix incorrect source address in Record Route option

[Ido Schimmel]

The Record Route IP option records the addresses of the routers that
routed the packet. In the case of forwarded packets, the kernel performs
a route lookup via fib_lookup() and fills in the preferred source
address of the matched route.

The lookup is performed with the DS field of the forwarded packet, but
using the RT_TOS() macro which only masks one of the two ECN bits. If
the packet is ECT(0) or CE, the matched route might be different than
the route via which the packet was forwarded as the input path masks
both of the ECN bits, resulting in the wrong address being filled in the
Record Route option.

Fix by masking both of the ECN bits.

Fixes: 8e36360ae876 ("ipv4: Remove route key identity dependencies in ip_rt_get_source().")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 net/ipv4/route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 5090912533d6..1110f69bf9bc 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1263,7 +1263,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt)
 		struct flowi4 fl4 = {
 			.daddr = iph->daddr,
 			.saddr = iph->saddr,
-			.flowi4_tos = RT_TOS(iph->tos),
+			.flowi4_tos = iph->tos & IPTOS_RT_MASK,
 			.flowi4_oif = rt->dst.dev->ifindex,
 			.flowi4_iif = skb->dev->ifindex,
 			.flowi4_mark = skb->mark,
-- 
2.45.1

Re: [PATCH net] ipv4: Fix incorrect source address in Record Route option

[Guillaume Nault]

On Thu, Jul 18, 2024 at 03:34:07PM +0300, Ido Schimmel wrote:
> The Record Route IP option records the addresses of the routers that
> routed the packet. In the case of forwarded packets, the kernel performs
> a route lookup via fib_lookup() and fills in the preferred source
> address of the matched route.
> 
> The lookup is performed with the DS field of the forwarded packet, but
> using the RT_TOS() macro which only masks one of the two ECN bits. If
> the packet is ECT(0) or CE, the matched route might be different than
> the route via which the packet was forwarded as the input path masks
> both of the ECN bits, resulting in the wrong address being filled in the
> Record Route option.
> 
> Fix by masking both of the ECN bits.

Reviewed-by: Guillaume Nault <gnault@redhat.com>

Re: [PATCH net] ipv4: Fix incorrect source address in Record Route option

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Thu, 18 Jul 2024 15:34:07 +0300 you wrote:
> The Record Route IP option records the addresses of the routers that
> routed the packet. In the case of forwarded packets, the kernel performs
> a route lookup via fib_lookup() and fills in the preferred source
> address of the matched route.
> 
> The lookup is performed with the DS field of the forwarded packet, but
> using the RT_TOS() macro which only masks one of the two ECN bits. If
> the packet is ECT(0) or CE, the matched route might be different than
> the route via which the packet was forwarded as the input path masks
> both of the ECN bits, resulting in the wrong address being filled in the
> Record Route option.
> 
> [...]

Here is the summary with links:
  - [net] ipv4: Fix incorrect source address in Record Route option
    https://git.kernel.org/netdev/net/c/cc73bbab4b1f

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html