From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Eric Dumazet <edumazet@google.com>,
Neal Cardwell <ncardwell@google.com>,
Yuchung Cheng <ycheng@google.com>, Jerry Chu <hkchu@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 36/47] tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation
Date: Wed, 9 Jan 2013 12:35:31 -0800 [thread overview]
Message-ID: <20130109201733.648924777@linuxfoundation.org> (raw)
In-Reply-To: <20130109201729.435233560@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 354e4aa391ed50a4d827ff6fc11e0667d0859b25 ]
RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]
All TCP stacks MAY implement the following mitigation. TCP stacks
that implement this mitigation MUST add an additional input check to
any incoming segment. The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back.
Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward
declaration.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Jerry Chu <hkchu@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_input.c | 43 +++++++++++++++++++++++++------------------
1 file changed, 25 insertions(+), 18 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3636,6 +3636,24 @@ static int tcp_process_frto(struct sock
return 0;
}
+/* RFC 5961 7 [ACK Throttling] */
+static void tcp_send_challenge_ack(struct sock *sk)
+{
+ /* unprotected vars, we dont care of overwrites */
+ static u32 challenge_timestamp;
+ static unsigned int challenge_count;
+ u32 now = jiffies / HZ;
+
+ if (now != challenge_timestamp) {
+ challenge_timestamp = now;
+ challenge_count = 0;
+ }
+ if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+ tcp_send_ack(sk);
+ }
+}
+
/* This routine deals with incoming acks, but not outgoing ones. */
static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag)
{
@@ -3652,8 +3670,14 @@ static int tcp_ack(struct sock *sk, stru
/* If the ack is older than previous acks
* then we can probably ignore it.
*/
- if (before(ack, prior_snd_una))
+ if (before(ack, prior_snd_una)) {
+ /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
+ if (before(ack, prior_snd_una - tp->max_window)) {
+ tcp_send_challenge_ack(sk);
+ return -1;
+ }
goto old_ack;
+ }
/* If the ack includes data we haven't sent yet, discard
* this segment (RFC793 Section 3.9).
@@ -5168,23 +5192,6 @@ out:
}
#endif /* CONFIG_NET_DMA */
-static void tcp_send_challenge_ack(struct sock *sk)
-{
- /* unprotected vars, we dont care of overwrites */
- static u32 challenge_timestamp;
- static unsigned int challenge_count;
- u32 now = jiffies / HZ;
-
- if (now != challenge_timestamp) {
- challenge_timestamp = now;
- challenge_count = 0;
- }
- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- tcp_send_ack(sk);
- }
-}
-
/* Does PAWS and seqno based validation of an incoming segment, flags will
* play significant role here.
*/
next prev parent reply other threads:[~2013-01-09 20:35 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-09 20:34 [ 00/47] 3.0.58-stable review Greg Kroah-Hartman
2013-01-09 20:34 ` [ 01/47] bonding: Bonding driver does not consider the gso_max_size/gso_max_segs setting of slave devices Greg Kroah-Hartman
2013-01-09 20:34 ` [ 02/47] bonding: fix race condition in bonding_store_slaves_active Greg Kroah-Hartman
2013-01-09 20:34 ` [ 03/47] sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails Greg Kroah-Hartman
2013-01-09 20:34 ` [ 04/47] sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall Greg Kroah-Hartman
2013-01-09 20:35 ` [ 05/47] ne2000: add the right platform device Greg Kroah-Hartman
2013-01-09 20:35 ` [ 06/47] irda: sir_dev: Fix copy/paste typo Greg Kroah-Hartman
2013-01-09 20:35 ` [ 07/47] usb/ipheth: Add iPhone 5 support Greg Kroah-Hartman
2013-01-09 20:35 ` [ 08/47] pnpacpi: fix incorrect TEST_ALPHA() test Greg Kroah-Hartman
2013-01-09 20:35 ` [ 09/47] exec: do not leave bprm->interp on stack Greg Kroah-Hartman
2013-01-09 20:35 ` [ 10/47] x86, 8042: Enable A20 using KBC to fix S3 resume on some MSI laptops Greg Kroah-Hartman
2013-01-09 20:35 ` [ 11/47] virtio: force vring descriptors to be allocated from lowmem Greg Kroah-Hartman
2013-01-09 20:35 ` [ 12/47] mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED Greg Kroah-Hartman
2013-01-09 20:35 ` [ 13/47] tmpfs mempolicy: fix /proc/mounts corrupting memory Greg Kroah-Hartman
2013-01-09 20:35 ` [ 14/47] ALSA: usb-audio: Avoid autopm calls after disconnection Greg Kroah-Hartman
2013-01-09 20:35 ` [ 15/47] ALSA: usb-audio: Fix missing autopm for MIDI input Greg Kroah-Hartman
2013-01-09 20:35 ` [ 16/47] p54usb: add USB ID for T-Com Sinus 154 data II Greg Kroah-Hartman
2013-01-09 20:35 ` [ 17/47] p54usb: add USBIDs for two more p54usb devices Greg Kroah-Hartman
2013-01-09 20:35 ` [ 18/47] usb: gadget: phonet: free requests in pn_bind()s error path Greg Kroah-Hartman
2013-01-09 20:35 ` [ 19/47] ACPI / scan: Do not use dummy HID for system bus ACPI nodes Greg Kroah-Hartman
2013-01-09 20:35 ` [ 20/47] NFS: avoid NULL dereference in nfs_destroy_server Greg Kroah-Hartman
2013-01-09 20:35 ` [ 21/47] NFS: Fix calls to drop_nlink() Greg Kroah-Hartman
2013-01-09 20:35 ` [ 22/47] nfsd4: fix oops on unusual readlike compound Greg Kroah-Hartman
2013-01-09 20:35 ` [ 23/47] nfs: fix null checking in nfs_get_option_str() Greg Kroah-Hartman
2013-01-09 20:35 ` [ 24/47] Input: walkera0701 - fix crash on startup Greg Kroah-Hartman
2013-01-09 20:35 ` [ 25/47] genirq: Always force thread affinity Greg Kroah-Hartman
2013-01-09 20:35 ` [ 26/47] xhci: Add Lynx Point LP to list of Intel switchable hosts Greg Kroah-Hartman
2013-01-09 20:35 ` [ 27/47] cgroup: remove incorrect dget/dput() pair in cgroup_create_dir() Greg Kroah-Hartman
2013-01-09 20:35 ` [ 28/47] x86, amd: Disable way access filter on Piledriver CPUs Greg Kroah-Hartman
2013-01-09 20:35 ` [ 29/47] ftrace: Do not function trace inlined functions Greg Kroah-Hartman
2013-01-09 20:35 ` [ 30/47] sparc: huge_ptep_set_* functions need to call set_huge_pte_at() Greg Kroah-Hartman
2013-01-09 20:35 ` [ 31/47] net: sched: integer overflow fix Greg Kroah-Hartman
2013-01-09 20:35 ` [ 32/47] tcp: implement RFC 5961 3.2 Greg Kroah-Hartman
2013-01-09 20:35 ` [ 33/47] tcp: implement RFC 5961 4.2 Greg Kroah-Hartman
2013-01-09 20:35 ` [ 34/47] tcp: refine SYN handling in tcp_validate_incoming Greg Kroah-Hartman
2013-01-09 20:35 ` [ 35/47] tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming() Greg Kroah-Hartman
2013-01-09 20:35 ` Greg Kroah-Hartman [this message]
2013-01-09 20:35 ` [ 37/47] ARM: mm: use pteval_t to represent page protection values Greg Kroah-Hartman
2013-01-09 20:35 ` [ 38/47] ARM: missing ->mmap_sem around find_vma() in swp_emulate.c Greg Kroah-Hartman
2013-01-09 20:35 ` [ 39/47] solos-pci: fix double-free of TX skb in DMA mode Greg Kroah-Hartman
2013-01-09 20:35 ` [ 40/47] PCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz Greg Kroah-Hartman
2013-01-09 20:35 ` [ 41/47] Bluetooth: ath3k: Add support for VAIO VPCEH [0489:e027] Greg Kroah-Hartman
2013-01-09 20:35 ` [ 42/47] Bluetooth: cancel power_on work when unregistering the device Greg Kroah-Hartman
2013-01-09 20:35 ` [ 43/47] CRIS: fix I/O macros Greg Kroah-Hartman
2013-01-09 20:35 ` [ 44/47] drivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield Greg Kroah-Hartman
2013-01-09 20:35 ` [ 45/47] drivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time Greg Kroah-Hartman
2013-01-09 20:35 ` [ 46/47] mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT Greg Kroah-Hartman
2013-01-09 20:35 ` [ 47/47] can: Do not call dev_put if restart timer is running upon close Greg Kroah-Hartman
2013-01-10 18:01 ` [ 00/47] 3.0.58-stable review Shuah Khan
2013-01-11 14:47 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130109201733.648924777@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hkchu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ncardwell@google.com \
--cc=stable@vger.kernel.org \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).