aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--net/ipv4/tcp_ipv4.c16
-rw-r--r--net/ipv6/tcp_ipv6.c10
2 files changed, 12 insertions, 14 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 2fb0945b9d83..56f8c6395966 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1112,10 +1112,13 @@ clear_hash_noput:
1112} 1112}
1113EXPORT_SYMBOL(tcp_v4_md5_hash_skb); 1113EXPORT_SYMBOL(tcp_v4_md5_hash_skb);
1114 1114
1115#endif
1116
1115/* Called with rcu_read_lock() */ 1117/* Called with rcu_read_lock() */
1116static bool tcp_v4_inbound_md5_hash(struct sock *sk, 1118static bool tcp_v4_inbound_md5_hash(const struct sock *sk,
1117 const struct sk_buff *skb) 1119 const struct sk_buff *skb)
1118{ 1120{
1121#ifdef CONFIG_TCP_MD5SIG
1119 /* 1122 /*
1120 * This gets called for each TCP segment that arrives 1123 * This gets called for each TCP segment that arrives
1121 * so we want to be efficient. 1124 * so we want to be efficient.
@@ -1165,8 +1168,9 @@ static bool tcp_v4_inbound_md5_hash(struct sock *sk,
1165 return true; 1168 return true;
1166 } 1169 }
1167 return false; 1170 return false;
1168}
1169#endif 1171#endif
1172 return false;
1173}
1170 1174
1171static void tcp_v4_init_req(struct request_sock *req, 1175static void tcp_v4_init_req(struct request_sock *req,
1172 const struct sock *sk_listener, 1176 const struct sock *sk_listener,
@@ -1607,16 +1611,8 @@ process:
1607 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) 1611 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
1608 goto discard_and_relse; 1612 goto discard_and_relse;
1609 1613
1610#ifdef CONFIG_TCP_MD5SIG
1611 /*
1612 * We really want to reject the packet as early as possible
1613 * if:
1614 * o We're expecting an MD5'd packet and this is no MD5 tcp option
1615 * o There is an MD5 option and we're not expecting one
1616 */
1617 if (tcp_v4_inbound_md5_hash(sk, skb)) 1614 if (tcp_v4_inbound_md5_hash(sk, skb))
1618 goto discard_and_relse; 1615 goto discard_and_relse;
1619#endif
1620 1616
1621 nf_reset(skb); 1617 nf_reset(skb);
1622 1618
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index e463583c39ee..65e797dba504 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -622,8 +622,12 @@ clear_hash_noput:
622 return 1; 622 return 1;
623} 623}
624 624
625static bool tcp_v6_inbound_md5_hash(struct sock *sk, const struct sk_buff *skb) 625#endif
626
627static bool tcp_v6_inbound_md5_hash(const struct sock *sk,
628 const struct sk_buff *skb)
626{ 629{
630#ifdef CONFIG_TCP_MD5SIG
627 const __u8 *hash_location = NULL; 631 const __u8 *hash_location = NULL;
628 struct tcp_md5sig_key *hash_expected; 632 struct tcp_md5sig_key *hash_expected;
629 const struct ipv6hdr *ip6h = ipv6_hdr(skb); 633 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
@@ -660,9 +664,9 @@ static bool tcp_v6_inbound_md5_hash(struct sock *sk, const struct sk_buff *skb)
660 &ip6h->daddr, ntohs(th->dest)); 664 &ip6h->daddr, ntohs(th->dest));
661 return true; 665 return true;
662 } 666 }
667#endif
663 return false; 668 return false;
664} 669}
665#endif
666 670
667static void tcp_v6_init_req(struct request_sock *req, 671static void tcp_v6_init_req(struct request_sock *req,
668 const struct sock *sk_listener, 672 const struct sock *sk_listener,
@@ -1408,10 +1412,8 @@ process:
1408 1412
1409 tcp_v6_fill_cb(skb, hdr, th); 1413 tcp_v6_fill_cb(skb, hdr, th);
1410 1414
1411#ifdef CONFIG_TCP_MD5SIG
1412 if (tcp_v6_inbound_md5_hash(sk, skb)) 1415 if (tcp_v6_inbound_md5_hash(sk, skb))
1413 goto discard_and_relse; 1416 goto discard_and_relse;
1414#endif
1415 1417
1416 if (sk_filter(sk, skb)) 1418 if (sk_filter(sk, skb))
1417 goto discard_and_relse; 1419 goto discard_and_relse;
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-27 15:03:30 -0400