Commit 6f0012e3 authored by Eric Dumazet's avatar Eric Dumazet Committed by Jakub Kicinski

tcp: add a missing nf_reset_ct() in 3WHS handling

When the third packet of 3WHS connection establishment
contains payload, it is added into socket receive queue
without the XFRM check and the drop of connection tracking
context.

This means that if the data is left unread in the socket
receive queue, conntrack module can not be unloaded.

As most applications usually reads the incoming data
immediately after accept(), bug has been hiding for
quite a long time.

Commit 68822bdf ("net: generalize skb freeing
deferral to per-cpu lists") exposed this bug because
even if the application reads this data, the skb
with nfct state could stay in a per-cpu cache for
an arbitrary time, if said cpu no longer process RX softirqs.

Many thanks to Ilya Maximets for reporting this issue,
and for testing various patches:
https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/

Note that I also added a missing xfrm4_policy_check() call,
although this is probably not a big issue, as the SYN
packet should have been dropped earlier.

Fixes: b59c2701 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done")
Reported-by: default avatarIlya Maximets <i.maximets@ovn.org>
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Tested-by: default avatarIlya Maximets <i.maximets@ovn.org>
Reviewed-by: default avatarIlya Maximets <i.maximets@ovn.org>
Link: https://lore.kernel.org/r/20220623050436.1290307-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 935336c1
...@@ -1964,7 +1964,10 @@ int tcp_v4_rcv(struct sk_buff *skb) ...@@ -1964,7 +1964,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
struct sock *nsk; struct sock *nsk;
sk = req->rsk_listener; sk = req->rsk_listener;
drop_reason = tcp_inbound_md5_hash(sk, skb, if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
drop_reason = SKB_DROP_REASON_XFRM_POLICY;
else
drop_reason = tcp_inbound_md5_hash(sk, skb,
&iph->saddr, &iph->daddr, &iph->saddr, &iph->daddr,
AF_INET, dif, sdif); AF_INET, dif, sdif);
if (unlikely(drop_reason)) { if (unlikely(drop_reason)) {
...@@ -2016,6 +2019,7 @@ int tcp_v4_rcv(struct sk_buff *skb) ...@@ -2016,6 +2019,7 @@ int tcp_v4_rcv(struct sk_buff *skb)
} }
goto discard_and_relse; goto discard_and_relse;
} }
nf_reset_ct(skb);
if (nsk == sk) { if (nsk == sk) {
reqsk_put(req); reqsk_put(req);
tcp_v4_restore_cb(skb); tcp_v4_restore_cb(skb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment