evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net
History
Eric Dumazet 87d96d1ba2 tcp: better validation of received ack sequences 
[ Upstream commit d0e1a1b5a833b625c93d3d49847609350ebd79db ]

Paul Fiterau Brostean reported :

<quote>
Linux TCP stack we analyze exhibits behavior that seems odd to me.
The scenario is as follows (all packets have empty payloads, no window
scaling, rcv/snd window size should not be a factor):

       TEST HARNESS (CLIENT)                        LINUX SERVER

   1.  -                                          LISTEN (server listen,
then accepts)

   2.  - --> <SEQ=100><CTL=SYN>               --> SYN-RECEIVED

   3.  - <-- <SEQ=300><ACK=101><CTL=SYN,ACK>  <-- SYN-RECEIVED

   4.  - --> <SEQ=101><ACK=301><CTL=ACK>      --> ESTABLISHED

   5.  - <-- <SEQ=301><ACK=101><CTL=FIN,ACK>  <-- FIN WAIT-1 (server
opts to close the data connection calling "close" on the connection
socket)

   6.  - --> <SEQ=101><ACK=99999><CTL=FIN,ACK> --> CLOSING (client sends
FIN,ACK with not yet sent acknowledgement number)

   7.  - <-- <SEQ=302><ACK=102><CTL=ACK>      <-- CLOSING (ACK is 102
instead of 101, why?)

... (silence from CLIENT)

   8.  - <-- <SEQ=301><ACK=102><CTL=FIN,ACK>  <-- CLOSING
(retransmission, again ACK is 102)

Now, note that packet 6 while having the expected sequence number,
acknowledges something that wasn't sent by the server. So I would
expect
the packet to maybe prompt an ACK response from the server, and then be
ignored. Yet it is not ignored and actually leads to an increase of the
acknowledgement number in the server's retransmission of the FIN,ACK
packet. The explanation I found is that the FIN  in packet 6 was
processed, despite the acknowledgement number being unacceptable.
Further experiments indeed show that the server processes this FIN,
transitioning to CLOSING, then on receiving an ACK for the FIN it had
send in packet 5, the server (or better said connection) transitions
from CLOSING to TIME_WAIT (as signaled by netstat).

</quote>

Indeed, tcp_rcv_state_process() calls tcp_ack() but
does not exploit the @acceptable status but for TCP_SYN_RECV
state.

What we want here is to send a challenge ACK, if not in TCP_SYN_RECV
state. TCP_FIN_WAIT1 state is not the only state we should fix.

Add a FLAG_NO_CHALLENGE_ACK so that tcp_rcv_state_process()
can choose to send a challenge ACK and discard the packet instead
of wrongly change socket state.

With help from Neal Cardwell.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Paul Fiterau Brostean <p.fiterau-brostean@science.ru.nl>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-04-13 19:50:11 +02:00
..
6lowpan 6lowpan: put mcast compression in an own function 2015-10-21 00:49:25 +02:00
9p net/9p: Switch to wait_event_killable() 2017-11-30 08:37:25 +00:00
802
8021q net/8021q: create device with all possible features in wanted_features 2018-03-22 09:23:21 +01:00
appletalk
atm atm: deal with setting entry before mkip was called 2015-09-17 22:13:32 -07:00
ax25 ax25: Fix segfault after sock connection timeout 2017-02-04 09:45:09 +01:00
batman-adv batman-adv: handle race condition for claims between gateways 2018-03-22 09:23:21 +01:00
bluetooth Bluetooth: Fix missing encryption refresh on Security Request 2018-04-08 11:51:59 +02:00
bridge netfilter: bridge: ebt_among: add more missing match size checks 2018-04-08 11:51:59 +02:00
caif net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx 2017-07-05 14:37:14 +02:00
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-31 12:06:08 +01:00
ceph libceph: NULL deref on crush_decode() error path 2018-04-13 19:50:10 +02:00
core neighbour: update neigh timestamps iff update is effective 2018-04-13 19:50:06 +02:00
dcb net/dcb: make dcbnl.c explicitly non-modular 2015-10-09 07:52:27 -07:00
dccp dccp: check sk for closed state in dccp_sendmsg() 2018-03-31 18:12:33 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:03:38 +01:00
dns_resolver KEYS: Fix race between updating and finding a negative key 2017-10-27 10:23:18 +02:00
dsa net: dsa: select NET_SWITCHDEV 2017-11-15 17:13:11 +01:00
ethernet net: introduce device min_header_len 2017-02-18 16:39:27 +01:00
hsr net/hsr: fix a warning message 2015-11-23 14:56:15 -05:00
ieee802154 net: ieee802154: fix net_device reference release too early 2018-04-13 19:50:10 +02:00
ipv4 tcp: better validation of received ack sequences 2018-04-13 19:50:11 +02:00
ipv6 ipv6: avoid dad-failures for addresses with NODAD 2018-04-13 19:50:06 +02:00
ipx ipx: call ipxitf_put() in ioctl error path 2017-05-25 14:30:13 +02:00
irda irda: do not leak initialized list.dev to userspace 2017-08-30 10:19:21 +02:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:12:33 +02:00
key af_key: Fix slab-out-of-bounds in pfkey_compile_policy. 2018-04-13 19:50:01 +02:00
l2tp l2tp: do not accept arbitrary sockets 2018-03-31 18:12:33 +02:00
l3mdev net: Add netif_is_l3_slave 2015-10-07 04:27:43 -07:00
lapb
llc net/llc: avoid BUG_ON() in skb_orphan() 2017-02-26 11:07:49 +01:00
mac80211 mac80211: bail out from prep_connection() if a reconfig is ongoing 2018-04-13 19:50:01 +02:00
mac802154 mac802154: llsec: use kzfree 2015-10-21 00:49:24 +02:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-03-11 16:19:47 +01:00
netfilter netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize 2018-04-13 19:50:10 +02:00
netlabel netlabel: add address family checks to netlbl_{sock,req}_delattr() 2016-08-20 18:09:22 +02:00
netlink netlink: avoid a double skb free in genlmsg_mcast() 2018-03-31 18:12:33 +02:00
netrom
nfc NFC: fix device-allocation error return 2017-11-30 08:37:23 +00:00
openvswitch openvswitch: Delete conntrack entry clashing with an expectation. 2018-03-24 10:58:43 +01:00
packet net/packet: fix a race in packet_bind() and packet_notifier() 2017-12-16 10:33:56 +01:00
phonet phonet: properly unshare skbs in phonet_rcv() 2016-01-31 11:29:00 -08:00
rds RDS: null pointer dereference in rds_atomic_free_op 2018-01-17 09:35:29 +01:00
rfkill rfkill: fix rfkill_fop_read wait_event usage 2016-03-03 15:07:26 -08:00
rose
rxrpc rxrpc: Fix several cases where a padded len isn't checked in ticket decode 2017-06-29 12:48:52 +02:00
sched sched: act_csum: don't mangle TCP and UDP GSO packets 2018-03-22 09:23:22 +01:00
sctp fixup: sctp: verify size of a new chunk in _sctp_make_chunk() 2018-03-18 11:17:54 +01:00
sunrpc SUNRPC: Allow connect to return EHOSTUNREACH 2018-02-03 17:04:28 +01:00
switchdev switchdev: pass pointer to fib_info instead of copy 2016-06-24 10:18:16 -07:00
tipc tipc: fix memory leak in tipc_accept_from_sock() 2017-12-16 10:33:56 +01:00
unix net/unix: don't show information about sockets from other namespaces 2017-11-18 11:11:06 +01:00
vmw_vsock vsock: use new wait API for vsock_stream_sendmsg() 2017-11-30 08:37:19 +00:00
wimax net:wimax: Fix doucble word "the the" in networking.xml 2015-08-09 22:43:52 -07:00
wireless nl80211: Sanitize array index in parse_txq_params 2018-02-25 11:03:53 +01:00
x25 net: x25: fix one potential use-after-free issue 2018-04-13 19:50:07 +02:00
xfrm xfrm: fix state migration copy replay sequence numbers 2018-04-13 19:50:08 +02:00
compat.c audit: log 32-bit socketcalls 2017-10-08 10:14:18 +02:00
Kconfig Make DST_CACHE a silent config option 2018-02-25 11:03:37 +01:00
Makefile net: Introduce L3 Master device abstraction 2015-09-29 20:40:32 -07:00
socket.c bpf: introduce BPF_JIT_ALWAYS_ON config 2018-02-03 17:04:24 +01:00
sysctl_net.c net: Use ns_capable_noaudit() when determining net sysctl permissions 2016-09-15 08:27:50 +02:00