diff options
| author | Eric Dumazet <edumazet@google.com> | 2014-05-29 11:45:14 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-06-02 17:09:28 -0400 |
| commit | 39c36094d78c39e038c1e499b2364e13bce36f54 (patch) | |
| tree | fac76f2e1c8968c74556cc68c1920da58c6bf3dd | |
| parent | fc0d6e9cd0aefbe5de5ebafb1805f2c59539725b (diff) | |
net: fix inet_getid() and ipv6_select_ident() bugs
I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery
is disabled.
Note how GSO/TSO packets do not have monotonically incrementing ID.
06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396)
06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212)
06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972)
06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292)
06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764)
It appears I introduced this bug in linux-3.1.
inet_getid() must return the old value of peer->ip_id_count,
not the new one.
Lets revert this part, and remove the prevention of
a null identification field in IPv6 Fragment Extension Header,
which is dubious and not even done properly.
Fixes: 87c48fa3b463 ("ipv6: make fragment identifications less predictable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/inetpeer.h | 9 | ||||
| -rw-r--r-- | net/ipv6/output_core.c | 11 |
2 files changed, 4 insertions, 16 deletions
diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h index 6efe73c79c52..058271bde27a 100644 --- a/include/net/inetpeer.h +++ b/include/net/inetpeer.h | |||
| @@ -177,16 +177,9 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) | |||
| 177 | /* can be called with or without local BH being disabled */ | 177 | /* can be called with or without local BH being disabled */ |
| 178 | static inline int inet_getid(struct inet_peer *p, int more) | 178 | static inline int inet_getid(struct inet_peer *p, int more) |
| 179 | { | 179 | { |
| 180 | int old, new; | ||
| 181 | more++; | 180 | more++; |
| 182 | inet_peer_refcheck(p); | 181 | inet_peer_refcheck(p); |
| 183 | do { | 182 | return atomic_add_return(more, &p->ip_id_count) - more; |
| 184 | old = atomic_read(&p->ip_id_count); | ||
| 185 | new = old + more; | ||
| 186 | if (!new) | ||
| 187 | new = 1; | ||
| 188 | } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old); | ||
| 189 | return new; | ||
| 190 | } | 183 | } |
| 191 | 184 | ||
| 192 | #endif /* _NET_INETPEER_H */ | 185 | #endif /* _NET_INETPEER_H */ |
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c index 6313abd53c9d..56596ce390a1 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c | |||
| @@ -12,7 +12,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) | |||
| 12 | { | 12 | { |
| 13 | static atomic_t ipv6_fragmentation_id; | 13 | static atomic_t ipv6_fragmentation_id; |
| 14 | struct in6_addr addr; | 14 | struct in6_addr addr; |
| 15 | int old, new; | 15 | int ident; |
| 16 | 16 | ||
| 17 | #if IS_ENABLED(CONFIG_IPV6) | 17 | #if IS_ENABLED(CONFIG_IPV6) |
| 18 | struct inet_peer *peer; | 18 | struct inet_peer *peer; |
| @@ -26,15 +26,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) | |||
| 26 | return; | 26 | return; |
| 27 | } | 27 | } |
| 28 | #endif | 28 | #endif |
| 29 | do { | 29 | ident = atomic_inc_return(&ipv6_fragmentation_id); |
| 30 | old = atomic_read(&ipv6_fragmentation_id); | ||
| 31 | new = old + 1; | ||
| 32 | if (!new) | ||
| 33 | new = 1; | ||
| 34 | } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old); | ||
| 35 | 30 | ||
| 36 | addr = rt->rt6i_dst.addr; | 31 | addr = rt->rt6i_dst.addr; |
| 37 | addr.s6_addr32[0] ^= (__force __be32)new; | 32 | addr.s6_addr32[0] ^= (__force __be32)ident; |
| 38 | fhdr->identification = htonl(secure_ipv6_id(addr.s6_addr32)); | 33 | fhdr->identification = htonl(secure_ipv6_id(addr.s6_addr32)); |
| 39 | } | 34 | } |
| 40 | EXPORT_SYMBOL(ipv6_select_ident); | 35 | EXPORT_SYMBOL(ipv6_select_ident); |