| From 1aee8da8ca58d9b2dd09abb6b3acac3fd9957e63 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 6 Apr 2022 15:41:12 +0300 |
| Subject: bpf: Support dual-stack sockets in bpf_tcp_check_syncookie |
| |
| From: Maxim Mikityanskiy <maximmi@nvidia.com> |
| |
| [ Upstream commit 2e8702cc0cfa1080f29fd64003c00a3e24ac38de ] |
| |
| bpf_tcp_gen_syncookie looks at the IP version in the IP header and |
| validates the address family of the socket. It supports IPv4 packets in |
| AF_INET6 dual-stack sockets. |
| |
| On the other hand, bpf_tcp_check_syncookie looks only at the address |
| family of the socket, ignoring the real IP version in headers, and |
| validates only the packet size. This implementation has some drawbacks: |
| |
| 1. Packets are not validated properly, allowing a BPF program to trick |
| bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4 |
| socket. |
| |
| 2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end |
| up receiving a SYNACK with the cookie, but the following ACK gets |
| dropped. |
| |
| This patch fixes these issues by changing the checks in |
| bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP |
| version from the header is taken into account, and it is validated |
| properly with address family. |
| |
| Fixes: 399040847084 ("bpf: add helper to check for a valid SYN cookie") |
| Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> |
| Signed-off-by: Alexei Starovoitov <ast@kernel.org> |
| Reviewed-by: Tariq Toukan <tariqt@nvidia.com> |
| Acked-by: Arthur Fabre <afabre@cloudflare.com> |
| Link: https://lore.kernel.org/bpf/20220406124113.2795730-1-maximmi@nvidia.com |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/core/filter.c | 17 +++++++++++++---- |
| 1 file changed, 13 insertions(+), 4 deletions(-) |
| |
| diff --git a/net/core/filter.c b/net/core/filter.c |
| index 4721ed65bcc5..590790c63fa3 100644 |
| --- a/net/core/filter.c |
| +++ b/net/core/filter.c |
| @@ -6719,24 +6719,33 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len |
| if (!th->ack || th->rst || th->syn) |
| return -ENOENT; |
| |
| + if (unlikely(iph_len < sizeof(struct iphdr))) |
| + return -EINVAL; |
| + |
| if (tcp_synq_no_recent_overflow(sk)) |
| return -ENOENT; |
| |
| cookie = ntohl(th->ack_seq) - 1; |
| |
| - switch (sk->sk_family) { |
| - case AF_INET: |
| - if (unlikely(iph_len < sizeof(struct iphdr))) |
| + /* Both struct iphdr and struct ipv6hdr have the version field at the |
| + * same offset so we can cast to the shorter header (struct iphdr). |
| + */ |
| + switch (((struct iphdr *)iph)->version) { |
| + case 4: |
| + if (sk->sk_family == AF_INET6 && ipv6_only_sock(sk)) |
| return -EINVAL; |
| |
| ret = __cookie_v4_check((struct iphdr *)iph, th, cookie); |
| break; |
| |
| #if IS_BUILTIN(CONFIG_IPV6) |
| - case AF_INET6: |
| + case 6: |
| if (unlikely(iph_len < sizeof(struct ipv6hdr))) |
| return -EINVAL; |
| |
| + if (sk->sk_family != AF_INET6) |
| + return -EINVAL; |
| + |
| ret = __cookie_v6_check((struct ipv6hdr *)iph, th, cookie); |
| break; |
| #endif /* CONFIG_IPV6 */ |
| -- |
| 2.35.1 |
| |