Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756562Ab3DKHsw (ORCPT ); Thu, 11 Apr 2013 03:48:52 -0400 Received: from mail-lb0-f179.google.com ([209.85.217.179]:40744 "EHLO mail-lb0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753869Ab3DKHsu (ORCPT ); Thu, 11 Apr 2013 03:48:50 -0400 Date: Thu, 11 Apr 2013 11:46:00 +0400 From: Dmitry Popov To: David Miller Cc: kuznet@ms2.inr.ac.ru, jmorris@namei.org, yoshfuji@linux-ipv6.org, kaber@trash.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] tcp: incoming connections might use wrong route under synflood Message-Id: <20130411114600.14cb8a5d5a5dee9e2f1306b5@highloadlab.com> In-Reply-To: <20130410.232612.1922869742696275542.davem@davemloft.net> References: <20130411000909.d90c6df468bf1830174e88e2@highloadlab.com> <20130410.232612.1922869742696275542.davem@davemloft.net> X-Mailer: Sylpheed 3.3.0 (GTK+ 2.24.15; x86_64-unknown-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2556 Lines: 61 There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov --- net/ipv4/syncookies.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index ef54377..397e0f6 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c @@ -349,8 +349,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, * hasn't changed since we received the original syn, but I see * no easy way to do this. */ - flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), - RT_SCOPE_UNIVERSE, IPPROTO_TCP, + flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark, + RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); On Wed, 10 Apr 2013 23:26:12 -0400 (EDT) David Miller wrote: > From: Dmitry Popov > Date: Thu, 11 Apr 2013 00:09:09 +0400 > > > There is a bug in cookie_v4_check (net/ipv4/syncookies.c): > > flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), > > RT_SCOPE_UNIVERSE, IPPROTO_TCP, > > inet_sk_flowi_flags(sk), > > (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, > > ireq->loc_addr, th->source, th->dest); > > > > Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used in new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take wrong path. There is no such bug in ipv6 code and non-cookie code (usual case). Bugfix below. > > > > Signed-off-by: Dmitry Popov > > Please format your commit messages properly, by not allowing lines of > text longer than 80 columns. > > Thank you. -- Dmitry Popov -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/