dccp: fix bug in sequence number validation during connection setup

This fixes a bug in the sequence number validation during the initial handshake.

The code did not treat the initial sequence numbers ISS and ISR as read-only and
did not keep state for GSR and GSS as required by the specification. This causes
problems with retransmissions during the initial handshake, causing the
budding connection to be reset.

This patch now treats ISS/ISR as read-only and tracks GSS/GSR as required.

Signed-off-by: Samuel Jero <sj323707@ohio.edu>
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>

1 files changed, 5 insertions, 3 deletions

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 1c67fe8ff90d..caf6e1734b62 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -300,7 +300,8 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info)
                  */
                 WARN_ON(req->sk);
 
-                if (seq != dccp_rsk(req)->dreq_iss) {
+                if (!between48(seq, dccp_rsk(req)->dreq_iss,
+                                    dccp_rsk(req)->dreq_gss)) {
                         NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
                         goto out;
                 }
@@ -639,11 +640,12 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
          *
          * Set S.ISR, S.GSR, S.SWL, S.SWH from packet or Init Cookie
          *
-         * In fact we defer setting S.GSR, S.SWL, S.SWH to
-         * dccp_create_openreq_child.
+         * Setting S.SWL/S.SWH to is deferred to dccp_create_openreq_child().
          */
         dreq->dreq_isr     = dcb->dccpd_seq;
+        dreq->dreq_gsr     = dreq->dreq_isr;
         dreq->dreq_iss     = dccp_v4_init_sequence(skb);
+        dreq->dreq_gss     = dreq->dreq_iss;
         dreq->dreq_service = service;
 
         if (dccp_v4_send_response(sk, req, NULL))