1 files changed, 36 insertions, 39 deletions

diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index bf63ac8a49b9..535a3ad262f1 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -24,26 +24,23 @@
 #define COOKIEBITS 24   /* Upper bits store count */
 #define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
 
-/* Table must be sorted. */
+static u32 syncookie6_secret[2][16-4+SHA_DIGEST_WORDS];
+
+/* RFC 2460, Section 8.3:
+ * [ipv6 tcp] MSS must be computed as the maximum packet size minus 60 [..]
+ *
+ * Due to IPV6_MIN_MTU=1280 the lowest possible MSS is 1220, which allows
+ * using higher values than ipv4 tcp syncookies.
+ * The other values are chosen based on ethernet (1500 and 9k MTU), plus
+ * one that accounts for common encap (PPPoe) overhead. Table must be sorted.
+ */
 static __u16 const msstab[] = {
-        64,
-        512,
-        536,
-        1280 - 60,
+        1280 - 60, /* IPV6_MIN_MTU - 60 */
         1480 - 60,
         1500 - 60,
-        4460 - 60,
         9000 - 60,
 };
 
-/*
- * This (misnamed) value is the age of syncookie which is permitted.
- * Its ideal value should be dependent on TCP_TIMEOUT_INIT and
- * sysctl_tcp_retries1. It's a rather complicated formula (exponential
- * backoff) to compute at runtime so it's currently hardcoded here.
- */
-#define COUNTER_TRIES 4
-
 static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb,
                                            struct request_sock *req,
                                            struct dst_entry *dst)
@@ -66,14 +63,18 @@ static DEFINE_PER_CPU(__u32 [16 + 5 + SHA_WORKSPACE_WORDS],
 static u32 cookie_hash(const struct in6_addr *saddr, const struct in6_addr *daddr,
                        __be16 sport, __be16 dport, u32 count, int c)
 {
-        __u32 *tmp = __get_cpu_var(ipv6_cookie_scratch);
+        __u32 *tmp;
+
+        net_get_random_once(syncookie6_secret, sizeof(syncookie6_secret));
+
+        tmp  = __get_cpu_var(ipv6_cookie_scratch);
 
         /*
          * we have 320 bits of information to hash, copy in the remaining
-         * 192 bits required for sha_transform, from the syncookie_secret
+         * 192 bits required for sha_transform, from the syncookie6_secret
          * and overwrite the digest with the secret
          */
-        memcpy(tmp + 10, syncookie_secret[c], 44);
+        memcpy(tmp + 10, syncookie6_secret[c], 44);
         memcpy(tmp, saddr, 16);
         memcpy(tmp + 4, daddr, 16);
         tmp[8] = ((__force u32)sport << 16) + (__force u32)dport;
@@ -86,8 +87,9 @@ static u32 cookie_hash(const struct in6_addr *saddr, const struct in6_addr *dadd
 static __u32 secure_tcp_syn_cookie(const struct in6_addr *saddr,
                                    const struct in6_addr *daddr,
                                    __be16 sport, __be16 dport, __u32 sseq,
-                                   __u32 count, __u32 data)
+                                   __u32 data)
 {
+        u32 count = tcp_cookie_time();
         return (cookie_hash(saddr, daddr, sport, dport, 0, 0) +
                 sseq + (count << COOKIEBITS) +
                 ((cookie_hash(saddr, daddr, sport, dport, count, 1) + data)
@@ -96,15 +98,14 @@ static __u32 secure_tcp_syn_cookie(const struct in6_addr *saddr,
 
 static __u32 check_tcp_syn_cookie(__u32 cookie, const struct in6_addr *saddr,
                                   const struct in6_addr *daddr, __be16 sport,
-                                  __be16 dport, __u32 sseq, __u32 count,
-                                  __u32 maxdiff)
+                                  __be16 dport, __u32 sseq)
 {
-        __u32 diff;
+        __u32 diff, count = tcp_cookie_time();
 
         cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq;
 
         diff = (count - (cookie >> COOKIEBITS)) & ((__u32) -1 >> COOKIEBITS);
-        if (diff >= maxdiff)
+        if (diff >= MAX_SYNCOOKIE_AGE)
                 return (__u32)-1;
 
         return (cookie -
@@ -125,8 +126,7 @@ u32 __cookie_v6_init_sequence(const struct ipv6hdr *iph,
         *mssp = msstab[mssind];
 
         return secure_tcp_syn_cookie(&iph->saddr, &iph->daddr, th->source,
-                                     th->dest, ntohl(th->seq),
-                                     jiffies / (HZ * 60), mssind);
+                                     th->dest, ntohl(th->seq), mssind);
 }
 EXPORT_SYMBOL_GPL(__cookie_v6_init_sequence);
 
@@ -146,8 +146,7 @@ int __cookie_v6_check(const struct ipv6hdr *iph, const struct tcphdr *th,
 {
         __u32 seq = ntohl(th->seq) - 1;
         __u32 mssind = check_tcp_syn_cookie(cookie, &iph->saddr, &iph->daddr,
-                                            th->source, th->dest, seq,
-                                            jiffies / (HZ * 60), COUNTER_TRIES);
+                                            th->source, th->dest, seq);
 
         return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0;
 }
@@ -157,7 +156,6 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
 {
         struct tcp_options_received tcp_opt;
         struct inet_request_sock *ireq;
-        struct inet6_request_sock *ireq6;
         struct tcp_request_sock *treq;
         struct ipv6_pinfo *np = inet6_sk(sk);
         struct tcp_sock *tp = tcp_sk(sk);
@@ -194,7 +192,6 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
                 goto out;
 
         ireq = inet_rsk(req);
-        ireq6 = inet6_rsk(req);
         treq = tcp_rsk(req);
         treq->listener = NULL;
 
@@ -202,22 +199,22 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
                 goto out_free;
 
         req->mss = mss;
-        ireq->rmt_port = th->source;
-        ireq->loc_port = th->dest;
-        ireq6->rmt_addr = ipv6_hdr(skb)->saddr;
-        ireq6->loc_addr = ipv6_hdr(skb)->daddr;
+        ireq->ir_rmt_port = th->source;
+        ireq->ir_num = ntohs(th->dest);
+        ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
+        ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
         if (ipv6_opt_accepted(sk, skb) ||
             np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
             np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
                 atomic_inc(&skb->users);
-                ireq6->pktopts = skb;
+                ireq->pktopts = skb;
         }
 
-        ireq6->iif = sk->sk_bound_dev_if;
+        ireq->ir_iif = sk->sk_bound_dev_if;
         /* So that link locals have meaning */
         if (!sk->sk_bound_dev_if &&
-            ipv6_addr_type(&ireq6->rmt_addr) & IPV6_ADDR_LINKLOCAL)
-                ireq6->iif = inet6_iif(skb);
+            ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
+                ireq->ir_iif = inet6_iif(skb);
 
         req->expires = 0UL;
         req->num_retrans = 0;
@@ -241,12 +238,12 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
                 struct flowi6 fl6;
                 memset(&fl6, 0, sizeof(fl6));
                 fl6.flowi6_proto = IPPROTO_TCP;
-                fl6.daddr = ireq6->rmt_addr;
+                fl6.daddr = ireq->ir_v6_rmt_addr;
                 final_p = fl6_update_dst(&fl6, np->opt, &final);
-                fl6.saddr = ireq6->loc_addr;
+                fl6.saddr = ireq->ir_v6_loc_addr;
                 fl6.flowi6_oif = sk->sk_bound_dev_if;
                 fl6.flowi6_mark = sk->sk_mark;
-                fl6.fl6_dport = inet_rsk(req)->rmt_port;
+                fl6.fl6_dport = ireq->ir_rmt_port;
                 fl6.fl6_sport = inet_sk(sk)->inet_sport;
                 security_req_classify_flow(req, flowi6_to_flowi(&fl6));