dccp: fix the adjustments to AWL and SWL

This fixes a problem and a potential loophole with regard to seqno/ackno
validity: currently the initial adjustments to AWL/SWL are only performed
once at the begin of the connection, during the handshake.

Since the Sequence Window feature is always greater than Wmin=32 (7.5.2),
it is however necessary to perform these adjustments at least for the first
W/W' (variables as per 7.5.1) packets in the lifetime of a connection.

This requirement is complicated by the fact that W/W' can change at any time
during the lifetime of a connection.

Therefore it is better to perform that safety check each time SWL/AWL are
updated, as implemented by the patch.

A second problem solved by this patch is that the remote/local Sequence Window
feature values (which set the bounds for AWL/SWL/SWH) are undefined until the
feature negotiation has completed.

During the initial handshake we have more stringent sequence number protection;
the changes added by this patch effect that {A,S}W{L,H} are within the correct
bounds at the instant that feature negotiation completes (since the SeqWin
feature activation handlers call dccp_update_gsr/gss()).

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>

1 files changed, 20 insertions, 0 deletions

diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
index 019d6ffee354..e051c774ef5c 100644
--- a/net/dccp/dccp.h
+++ b/net/dccp/dccp.h
@@ -414,6 +414,23 @@ static inline void dccp_update_gsr(struct sock *sk, u64 seq)
         dp->dccps_gsr = seq;
         /* Sequence validity window depends on remote Sequence Window (7.5.1) */
         dp->dccps_swl = SUB48(ADD48(dp->dccps_gsr, 1), dp->dccps_r_seq_win / 4);
+        /*
+         * Adjust SWL so that it is not below ISR. In contrast to RFC 4340,
+         * 7.5.1 we perform this check beyond the initial handshake: W/W' are
+         * always > 32, so for the first W/W' packets in the lifetime of a
+         * connection we always have to adjust SWL.
+         * A second reason why we are doing this is that the window depends on
+         * the feature-remote value of Sequence Window: nothing stops the peer
+         * from updating this value while we are busy adjusting SWL for the
+         * first W packets (we would have to count from scratch again then).
+         * Therefore it is safer to always make sure that the Sequence Window
+         * is not artificially extended by a peer who grows SWL downwards by
+         * continually updating the feature-remote Sequence-Window.
+         * If sequence numbers wrap it is bad luck. But that will take a while
+         * (48 bit), and this measure prevents Sequence-number attacks.
+         */
+        if (before48(dp->dccps_swl, dp->dccps_isr))
+                dp->dccps_swl = dp->dccps_isr;
         dp->dccps_swh = ADD48(dp->dccps_gsr, (3 * dp->dccps_r_seq_win) / 4);
 }
 
@@ -424,6 +441,9 @@ static inline void dccp_update_gss(struct sock *sk, u64 seq)
         dp->dccps_gss = seq;
         /* Ack validity window depends on local Sequence Window value (7.5.1) */
         dp->dccps_awl = SUB48(ADD48(dp->dccps_gss, 1), dp->dccps_l_seq_win);
+        /* Adjust AWL so that it is not below ISS - see comment above for SWL */
+        if (before48(dp->dccps_awl, dp->dccps_iss))
+                dp->dccps_awl = dp->dccps_iss;
         dp->dccps_awh = dp->dccps_gss;
 }