Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp24837pxk; Tue, 15 Sep 2020 16:43:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyQ9tJ4LzdjPtaKztT+ueuv+vMFkVbCswFyI3S3phlewS5/Cvh5VVPo39B+D2cuSYAM/wiJ X-Received: by 2002:a05:6402:18d:: with SMTP id r13mr24045590edv.267.1600213396727; Tue, 15 Sep 2020 16:43:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600213396; cv=none; d=google.com; s=arc-20160816; b=fM5TqMo2cDABDPxTBtHWsxEweOu5CkgVVO08FwDQEUmkx8DXngWxyXA2x3RuPWZN3y EWK+Cc2atLr7lbsElmJT9WDpOkYpjzy1NUeRUSEuAj4ZnOcJAsgefkz/ZnJx4osgUoYb zEGD6Vat/RdrTGCllzBZDPooVGM7r3ruV6FYGIrkn/TEtdvfJVHwFnVrxJXRQbWHFXYH BiNUAk4avB+CcutHy4/0BoUcVt7itmUifwMVVZQ1wGrzCQZxPLJMvTWP2OZuGvMZJqFy V65c5Au8S7CRvqzhKmXLDxD6JXbOswTmyP8i49sDQx6ueSbbPk+6SBvi1DXFfGvoCE23 aIqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=egYgeh1MLgiEpo4gZxnJZlFXjfiGgtXjijD9POA4sJQ=; b=CwiPKjXTBX60xxDqTIKzfDWQeWa499dTx5KLRCx7UjbjlaU5O1/61kNuQfl/c1qZ5Y o0OyenAolXQpmWHH98glMZMKNkM9AdsAuyDHyBslbiDamxVo4YTVGC+sh7FfUK2Sfums 1nOJshcRSCKoPUEXVN2gISdhB72rbDwjip968iQptNsCZlf43sues/uFuEf+kUBcBVUX 8OtW44ENtMkz1+LkwyLJTIWmBnL94FBHA41equQZk9JSRITAWdfyPcgbWFXVSalnz61T /OD/ziqCgKtr/NJR0KkBSxNH0N+72tdDDkRX0GcKbnXMo2T5irw/v1UXa6VgkdVf13+A vBzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2CLYtzkO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p16si10131525edm.382.2020.09.15.16.42.54; Tue, 15 Sep 2020 16:43:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2CLYtzkO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727484AbgIOXly (ORCPT + 99 others); Tue, 15 Sep 2020 19:41:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:46444 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727108AbgIOOem (ORCPT ); Tue, 15 Sep 2020 10:34:42 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 50EF721D91; Tue, 15 Sep 2020 14:15:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600179333; bh=6lJqYousbkRWzTnKPucX719ewW66jKHGJq1Or/5QNn8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2CLYtzkO/9UM9YfzWcQignThgXtcAAkw3uplwCBaXgJ5cZOHmrtIsCPtulFq0twmf 6+GGXMzlYnue8IQv6/WquorLljHIuulVu4AkG9Ush48nrzdHXbwR5jIPN6i8N0s4Na AwspHp1xbGLAuWmGENuN0i2JBsALGzVUFXhMyOqA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.19 19/78] netfilter: conntrack: allow sctp hearbeat after connection re-use Date: Tue, 15 Sep 2020 16:12:44 +0200 Message-Id: <20200915140634.526206757@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200915140633.552502750@linuxfoundation.org> References: <20200915140633.552502750@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal [ Upstream commit cc5453a5b7e90c39f713091a7ebc53c1f87d1700 ] If an sctp connection gets re-used, heartbeats are flagged as invalid because their vtag doesn't match. Handle this in a similar way as TCP conntrack when it suspects that the endpoints and conntrack are out-of-sync. When a HEARTBEAT request fails its vtag validation, flag this in the conntrack state and accept the packet. When a HEARTBEAT_ACK is received with an invalid vtag in the reverse direction after we allowed such a HEARTBEAT through, assume we are out-of-sync and re-set the vtag info. v2: remove left-over snippet from an older incarnation that moved new_state/old_state assignments, thats not needed so keep that as-is. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- include/linux/netfilter/nf_conntrack_sctp.h | 2 ++ net/netfilter/nf_conntrack_proto_sctp.c | 39 ++++++++++++++++++--- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h index 9a33f171aa822..625f491b95de8 100644 --- a/include/linux/netfilter/nf_conntrack_sctp.h +++ b/include/linux/netfilter/nf_conntrack_sctp.h @@ -9,6 +9,8 @@ struct ip_ct_sctp { enum sctp_conntrack state; __be32 vtag[IP_CT_DIR_MAX]; + u8 last_dir; + u8 flags; }; #endif /* _NF_CONNTRACK_SCTP_H */ diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 7d7e30ea0ecf9..a937d4f75613f 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -65,6 +65,8 @@ static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { [SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS, }; +#define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1 + #define sNO SCTP_CONNTRACK_NONE #define sCL SCTP_CONNTRACK_CLOSED #define sCW SCTP_CONNTRACK_COOKIE_WAIT @@ -288,6 +290,7 @@ static int sctp_packet(struct nf_conn *ct, u_int32_t offset, count; unsigned int *timeouts; unsigned long map[256 / sizeof(unsigned long)] = { 0 }; + bool ignore = false; sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); if (sh == NULL) @@ -332,15 +335,39 @@ static int sctp_packet(struct nf_conn *ct, /* Sec 8.5.1 (D) */ if (sh->vtag != ct->proto.sctp.vtag[dir]) goto out_unlock; - } else if (sch->type == SCTP_CID_HEARTBEAT || - sch->type == SCTP_CID_HEARTBEAT_ACK) { + } else if (sch->type == SCTP_CID_HEARTBEAT) { + if (ct->proto.sctp.vtag[dir] == 0) { + pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); + ct->proto.sctp.vtag[dir] = sh->vtag; + } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { + if (test_bit(SCTP_CID_DATA, map) || ignore) + goto out_unlock; + + ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED; + ct->proto.sctp.last_dir = dir; + ignore = true; + continue; + } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { + ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; + } + } else if (sch->type == SCTP_CID_HEARTBEAT_ACK) { if (ct->proto.sctp.vtag[dir] == 0) { pr_debug("Setting vtag %x for dir %d\n", sh->vtag, dir); ct->proto.sctp.vtag[dir] = sh->vtag; } else if (sh->vtag != ct->proto.sctp.vtag[dir]) { - pr_debug("Verification tag check failed\n"); - goto out_unlock; + if (test_bit(SCTP_CID_DATA, map) || ignore) + goto out_unlock; + + if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 || + ct->proto.sctp.last_dir == dir) + goto out_unlock; + + ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; + ct->proto.sctp.vtag[dir] = sh->vtag; + ct->proto.sctp.vtag[!dir] = 0; + } else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) { + ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED; } } @@ -375,6 +402,10 @@ static int sctp_packet(struct nf_conn *ct, } spin_unlock_bh(&ct->lock); + /* allow but do not refresh timeout */ + if (ignore) + return NF_ACCEPT; + timeouts = nf_ct_timeout_lookup(ct); if (!timeouts) timeouts = sctp_pernet(nf_ct_net(ct))->timeouts; -- 2.25.1