dccp: fix the adjustments to AWL and SWL

This fixes a problem and a potential loophole with regard to seqno/ackno validity: currently the initial adjustments to AWL/SWL are only performed once at the begin of the connection, during the handshake. Since the Sequence Window feature is always greater than Wmin=32 (7.5.2), it is however necessary to perform these adjustments at least for the first W/W' (variables as per 7.5.1) packets in the lifetime of a connection. This requirement is complicated by the fact that W/W' can change at any time during the lifetime of a connection. Therefore it is better to perform that safety check each time SWL/AWL are updated, as implemented by the patch. A second problem solved by this patch is that the remote/local Sequence Window feature values (which set the bounds for AWL/SWL/SWH) are undefined until the feature negotiation has completed. During the initial handshake we have more stringent sequence number protection; the changes added by this patch effect that {A,S}W{L,H} are within the correct bounds at the instant that feature negotiation completes (since the SeqWin feature activation handlers call dccp_update_gsr/gss()). Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
author: Gerrit Renker <gerrit@erg.abdn.ac.uk> 2010-10-11 14:35:40 -0400
committer: Gerrit Renker <gerrit@erg.abdn.ac.uk> 2010-10-12 00:57:40 -0400
commit: 0b53d4604ac2b4f2faa9a62a04ea9b383ad2efe0 (patch)
tree: 70ed0d136ef719f33655f78b31650d1c88cd3e00
parent: 0ed8ddf4045fcfcac36bad753dc4046118c603ec (diff)
3 files changed, 35 insertions, 33 deletions
diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
index 019d6ffee354..e051c774ef5c 100644
--- a/net/dccp/dccp.h
+++ b/net/dccp/dccp.h
@@ -414,6 +414,23 @@ static inline void dccp_update_gsr(struct sock *sk, u64 seq)
        dp->dccps_gsr = seq;
        /* Sequence validity window depends on remote Sequence Window (7.5.1) */
        dp->dccps_swl = SUB48(ADD48(dp->dccps_gsr, 1), dp->dccps_r_seq_win / 4);
+        /*
+         * Adjust SWL so that it is not below ISR. In contrast to RFC 4340,
+         * 7.5.1 we perform this check beyond the initial handshake: W/W' are
+         * always > 32, so for the first W/W' packets in the lifetime of a
+         * connection we always have to adjust SWL.
+         * A second reason why we are doing this is that the window depends on
+         * the feature-remote value of Sequence Window: nothing stops the peer
+         * from updating this value while we are busy adjusting SWL for the
+         * first W packets (we would have to count from scratch again then).
+         * Therefore it is safer to always make sure that the Sequence Window
+         * is not artificially extended by a peer who grows SWL downwards by
+         * continually updating the feature-remote Sequence-Window.
+         * If sequence numbers wrap it is bad luck. But that will take a while
+         * (48 bit), and this measure prevents Sequence-number attacks.
+         */
+        if (before48(dp->dccps_swl, dp->dccps_isr))
+                dp->dccps_swl = dp->dccps_isr;
        dp->dccps_swh = ADD48(dp->dccps_gsr, (3 * dp->dccps_r_seq_win) / 4);
 }
@@ -424,6 +441,9 @@ static inline void dccp_update_gss(struct sock *sk, u64 seq)
        dp->dccps_gss = seq;
        /* Ack validity window depends on local Sequence Window value (7.5.1) */
        dp->dccps_awl = SUB48(ADD48(dp->dccps_gss, 1), dp->dccps_l_seq_win);
+        /* Adjust AWL so that it is not below ISS - see comment above for SWL */
+        if (before48(dp->dccps_awl, dp->dccps_iss))
+                dp->dccps_awl = dp->dccps_iss;
        dp->dccps_awh = dp->dccps_gss;
 }
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 10c957a88f4f..aecc8c7443c2 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -441,20 +441,14 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk,
                kfree_skb(sk->sk_send_head);
                sk->sk_send_head = NULL;
-                dp->dccps_isr = DCCP_SKB_CB(skb)->dccpd_seq;
-                dccp_update_gsr(sk, dp->dccps_isr);
                /*
-                 * SWL and AWL are initially adjusted so that they are not less than
+                 * Set ISR, GSR from packet. ISS was set in dccp_v{4,6}_connect
-                 * the initial Sequence Numbers received and sent, respectively:
+                 * and GSS in dccp_transmit_skb(). Setting AWL/AWH and SWL/SWH
-                 *      SWL := max(GSR + 1 - floor(W/4), ISR),
+                 * is done as part of activating the feature values below, since
-                 *      AWL := max(GSS - W' + 1, ISS).
+                 * these settings depend on the local/remote Sequence Window
-                 * These adjustments MUST be applied only at the beginning of the
+                 * features, which were undefined or not confirmed until now.
-                 * connection.
-                 *
-                 * AWL was adjusted in dccp_v4_connect -acme
                 */
-                dccp_set_seqno(&dp->dccps_swl,
+                dp->dccps_gsr = dp->dccps_isr = DCCP_SKB_CB(skb)->dccpd_seq;
-                               max48(dp->dccps_swl, dp->dccps_isr));
                dccp_sync_mss(sk, icsk->icsk_pmtu_cookie);
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index 128b089d3aef..d7041a0963af 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -121,30 +121,18 @@ struct sock *dccp_create_openreq_child(struct sock *sk,
                 *
                 *    Choose S.ISS (initial seqno) or set from Init Cookies
                 *    Initialize S.GAR := S.ISS
-                 *    Set S.ISR, S.GSR, S.SWL, S.SWH from packet or Init Cookies
+                 *    Set S.ISR, S.GSR from packet (or Init Cookies)
-                 */
+                 *
-                newdp->dccps_gar = newdp->dccps_iss = dreq->dreq_iss;
+                 *    Setting AWL/AWH and SWL/SWH happens as part of the feature
-                dccp_update_gss(newsk, dreq->dreq_iss);
+                 *    activation below, as these windows all depend on the local
+                 *    and remote Sequence Window feature values (7.5.2).
-                newdp->dccps_isr = dreq->dreq_isr;
-                dccp_update_gsr(newsk, dreq->dreq_isr);
-                /*
-                 * SWL and AWL are initially adjusted so that they are not less than
-                 * the initial Sequence Numbers received and sent, respectively:
-                 *      SWL := max(GSR + 1 - floor(W/4), ISR),
-                 *      AWL := max(GSS - W' + 1, ISS).
-                 * These adjustments MUST be applied only at the beginning of the
-                 * connection.
                 */
-                dccp_set_seqno(&newdp->dccps_swl,
+                newdp->dccps_gss = newdp->dccps_iss = dreq->dreq_iss;
-                               max48(newdp->dccps_swl, newdp->dccps_isr));
+                newdp->dccps_gar = newdp->dccps_iss;
-                dccp_set_seqno(&newdp->dccps_awl,
+                newdp->dccps_gsr = newdp->dccps_isr = dreq->dreq_isr;
-                               max48(newdp->dccps_awl, newdp->dccps_iss));
                /*
-                 * Activate features after initialising the sequence numbers,
+                 * Activate features: initialise CCIDs, sequence windows etc.
-                 * since CCID initialisation may depend on GSS, ISR, ISS etc.
                 */
                if (dccp_feat_activate_values(newsk, &dreq->dreq_featneg)) {
                        /* It is still raw copy of parent, so invalidate
author	Gerrit Renker <gerrit@erg.abdn.ac.uk>	2010-10-11 14:35:40 -0400
committer	Gerrit Renker <gerrit@erg.abdn.ac.uk>	2010-10-12 00:57:40 -0400
commit	0b53d4604ac2b4f2faa9a62a04ea9b383ad2efe0 (patch)
tree	70ed0d136ef719f33655f78b31650d1c88cd3e00
parent	0ed8ddf4045fcfcac36bad753dc4046118c603ec (diff)

diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h index 019d6ffee354..e051c774ef5c 100644 --- a/net/dccp/dccp.h +++ b/net/dccp/dccp.h
@@ -414,6 +414,23 @@ static inline void dccp_update_gsr(struct sock *sk, u64 seq)
414	dp->dccps_gsr = seq;	414	dp->dccps_gsr = seq;
415	/* Sequence validity window depends on remote Sequence Window (7.5.1) */	415	/* Sequence validity window depends on remote Sequence Window (7.5.1) */
416	dp->dccps_swl = SUB48(ADD48(dp->dccps_gsr, 1), dp->dccps_r_seq_win / 4);	416	dp->dccps_swl = SUB48(ADD48(dp->dccps_gsr, 1), dp->dccps_r_seq_win / 4);
		417	/*
		418	* Adjust SWL so that it is not below ISR. In contrast to RFC 4340,
		419	* 7.5.1 we perform this check beyond the initial handshake: W/W' are
		420	* always > 32, so for the first W/W' packets in the lifetime of a
		421	* connection we always have to adjust SWL.
		422	* A second reason why we are doing this is that the window depends on
		423	* the feature-remote value of Sequence Window: nothing stops the peer
		424	* from updating this value while we are busy adjusting SWL for the
		425	* first W packets (we would have to count from scratch again then).
		426	* Therefore it is safer to always make sure that the Sequence Window
		427	* is not artificially extended by a peer who grows SWL downwards by
		428	* continually updating the feature-remote Sequence-Window.
		429	* If sequence numbers wrap it is bad luck. But that will take a while
		430	* (48 bit), and this measure prevents Sequence-number attacks.
		431	*/
		432	if (before48(dp->dccps_swl, dp->dccps_isr))
		433	dp->dccps_swl = dp->dccps_isr;
417	dp->dccps_swh = ADD48(dp->dccps_gsr, (3 * dp->dccps_r_seq_win) / 4);	434	dp->dccps_swh = ADD48(dp->dccps_gsr, (3 * dp->dccps_r_seq_win) / 4);
418	}	435	}
419		436
@@ -424,6 +441,9 @@ static inline void dccp_update_gss(struct sock *sk, u64 seq)
424	dp->dccps_gss = seq;	441	dp->dccps_gss = seq;
425	/* Ack validity window depends on local Sequence Window value (7.5.1) */	442	/* Ack validity window depends on local Sequence Window value (7.5.1) */
426	dp->dccps_awl = SUB48(ADD48(dp->dccps_gss, 1), dp->dccps_l_seq_win);	443	dp->dccps_awl = SUB48(ADD48(dp->dccps_gss, 1), dp->dccps_l_seq_win);
		444	/* Adjust AWL so that it is not below ISS - see comment above for SWL */
		445	if (before48(dp->dccps_awl, dp->dccps_iss))
		446	dp->dccps_awl = dp->dccps_iss;
427	dp->dccps_awh = dp->dccps_gss;	447	dp->dccps_awh = dp->dccps_gss;
428	}	448	}
429		449


diff --git a/net/dccp/input.c b/net/dccp/input.c index 10c957a88f4f..aecc8c7443c2 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c
@@ -441,20 +441,14 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk,
441	kfree_skb(sk->sk_send_head);	441	kfree_skb(sk->sk_send_head);
442	sk->sk_send_head = NULL;	442	sk->sk_send_head = NULL;
443		443
444	dp->dccps_isr = DCCP_SKB_CB(skb)->dccpd_seq;
445	dccp_update_gsr(sk, dp->dccps_isr);
446	/*	444	/*
447	* SWL and AWL are initially adjusted so that they are not less than	445	* Set ISR, GSR from packet. ISS was set in dccp_v{4,6}_connect
448	* the initial Sequence Numbers received and sent, respectively:	446	* and GSS in dccp_transmit_skb(). Setting AWL/AWH and SWL/SWH
449	* SWL := max(GSR + 1 - floor(W/4), ISR),	447	* is done as part of activating the feature values below, since
450	* AWL := max(GSS - W' + 1, ISS).	448	* these settings depend on the local/remote Sequence Window
451	* These adjustments MUST be applied only at the beginning of the	449	* features, which were undefined or not confirmed until now.
452	* connection.
453	*
454	* AWL was adjusted in dccp_v4_connect -acme
455	*/	450	*/
456	dccp_set_seqno(&dp->dccps_swl,	451	dp->dccps_gsr = dp->dccps_isr = DCCP_SKB_CB(skb)->dccpd_seq;
457	max48(dp->dccps_swl, dp->dccps_isr));
458		452
459	dccp_sync_mss(sk, icsk->icsk_pmtu_cookie);	453	dccp_sync_mss(sk, icsk->icsk_pmtu_cookie);
460		454


diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c index 128b089d3aef..d7041a0963af 100644 --- a/net/dccp/minisocks.c +++ b/net/dccp/minisocks.c
@@ -121,30 +121,18 @@ struct sock dccp_create_openreq_child(struct sock sk,
121	*	121	*
122	* Choose S.ISS (initial seqno) or set from Init Cookies	122	* Choose S.ISS (initial seqno) or set from Init Cookies
123	* Initialize S.GAR := S.ISS	123	* Initialize S.GAR := S.ISS
124	* Set S.ISR, S.GSR, S.SWL, S.SWH from packet or Init Cookies	124	* Set S.ISR, S.GSR from packet (or Init Cookies)
125	*/	125	*
126	newdp->dccps_gar = newdp->dccps_iss = dreq->dreq_iss;	126	* Setting AWL/AWH and SWL/SWH happens as part of the feature
127	dccp_update_gss(newsk, dreq->dreq_iss);	127	* activation below, as these windows all depend on the local
128		128	* and remote Sequence Window feature values (7.5.2).
129	newdp->dccps_isr = dreq->dreq_isr;
130	dccp_update_gsr(newsk, dreq->dreq_isr);
131
132	/*
133	* SWL and AWL are initially adjusted so that they are not less than
134	* the initial Sequence Numbers received and sent, respectively:
135	* SWL := max(GSR + 1 - floor(W/4), ISR),
136	* AWL := max(GSS - W' + 1, ISS).
137	* These adjustments MUST be applied only at the beginning of the
138	* connection.
139	*/	129	*/
140	dccp_set_seqno(&newdp->dccps_swl,	130	newdp->dccps_gss = newdp->dccps_iss = dreq->dreq_iss;
141	max48(newdp->dccps_swl, newdp->dccps_isr));	131	newdp->dccps_gar = newdp->dccps_iss;
142	dccp_set_seqno(&newdp->dccps_awl,	132	newdp->dccps_gsr = newdp->dccps_isr = dreq->dreq_isr;
143	max48(newdp->dccps_awl, newdp->dccps_iss));
144		133
145	/*	134	/*
146	* Activate features after initialising the sequence numbers,	135	* Activate features: initialise CCIDs, sequence windows etc.
147	* since CCID initialisation may depend on GSS, ISR, ISS etc.
148	*/	136	*/
149	if (dccp_feat_activate_values(newsk, &dreq->dreq_featneg)) {	137	if (dccp_feat_activate_values(newsk, &dreq->dreq_featneg)) {
150	/* It is still raw copy of parent, so invalidate	138	/* It is still raw copy of parent, so invalidate