diff options
author | Yuchung Cheng <ycheng@google.com> | 2013-08-09 20:21:27 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-08-10 12:36:22 -0400 |
commit | 356d7d88e088687b6578ca64601b0a2c9d145296 (patch) | |
tree | 99e749ab856f5d1f9084d48f4b8b6e137352287c /net/netfilter | |
parent | e4d091d7bf787cd303383725b8071d0bae76f981 (diff) |
netfilter: nf_conntrack: fix tcp_in_window for Fast Open
Currently the conntrack checks if the ending sequence of a packet
falls within the observed receive window. However it does so even
if it has not observe any packet from the remote yet and uses an
uninitialized receive window (td_maxwin).
If a connection uses Fast Open to send a SYN-data packet which is
dropped afterward in the network. The subsequent SYNs retransmits
will all fail this check and be discarded, leading to a connection
timeout. This is because the SYN retransmit does not contain data
payload so
end == initial sequence number (isn) + 1
sender->td_end == isn + syn_data_len
receiver->td_maxwin == 0
The fix is to only apply this check after td_maxwin is initialized.
Reported-by: Michael Chan <mcfchan@stanford.edu>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 7dcc376eea5f..2f8010707d01 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
@@ -526,7 +526,7 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
526 | const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; | 526 | const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; |
527 | __u32 seq, ack, sack, end, win, swin; | 527 | __u32 seq, ack, sack, end, win, swin; |
528 | s16 receiver_offset; | 528 | s16 receiver_offset; |
529 | bool res; | 529 | bool res, in_recv_win; |
530 | 530 | ||
531 | /* | 531 | /* |
532 | * Get the required data from the packet. | 532 | * Get the required data from the packet. |
@@ -649,14 +649,18 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
649 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, | 649 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, |
650 | receiver->td_scale); | 650 | receiver->td_scale); |
651 | 651 | ||
652 | /* Is the ending sequence in the receive window (if available)? */ | ||
653 | in_recv_win = !receiver->td_maxwin || | ||
654 | after(end, sender->td_end - receiver->td_maxwin - 1); | ||
655 | |||
652 | pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n", | 656 | pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n", |
653 | before(seq, sender->td_maxend + 1), | 657 | before(seq, sender->td_maxend + 1), |
654 | after(end, sender->td_end - receiver->td_maxwin - 1), | 658 | (in_recv_win ? 1 : 0), |
655 | before(sack, receiver->td_end + 1), | 659 | before(sack, receiver->td_end + 1), |
656 | after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)); | 660 | after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)); |
657 | 661 | ||
658 | if (before(seq, sender->td_maxend + 1) && | 662 | if (before(seq, sender->td_maxend + 1) && |
659 | after(end, sender->td_end - receiver->td_maxwin - 1) && | 663 | in_recv_win && |
660 | before(sack, receiver->td_end + 1) && | 664 | before(sack, receiver->td_end + 1) && |
661 | after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) { | 665 | after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) { |
662 | /* | 666 | /* |
@@ -725,7 +729,7 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
725 | nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, | 729 | nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, |
726 | "nf_ct_tcp: %s ", | 730 | "nf_ct_tcp: %s ", |
727 | before(seq, sender->td_maxend + 1) ? | 731 | before(seq, sender->td_maxend + 1) ? |
728 | after(end, sender->td_end - receiver->td_maxwin - 1) ? | 732 | in_recv_win ? |
729 | before(sack, receiver->td_end + 1) ? | 733 | before(sack, receiver->td_end + 1) ? |
730 | after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG" | 734 | after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG" |
731 | : "ACK is under the lower bound (possible overly delayed ACK)" | 735 | : "ACK is under the lower bound (possible overly delayed ACK)" |