netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options

stable inclusion from stable-4.19.238 commit 126f86e865ef1e776e853b97b4af2af3d69d4b1c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5A6BA CVE: NA -------------------------------- [ Upstream commit f2dd495a ] Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios coming before the TCP window tracking, otherwise such connections will fail in the window check. Update tcp_options() to leave this flag in place and add a new helper function to reset the tcp window state. Based on patch from Sven Auhagen. Fixes: c4832c7b ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking") Tested-by: N Sven Auhagen <sven.auhagen@voleatech.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options
stable inclusion from stable-4.19.238 commit 126f86e865ef1e776e853b97b4af2af3d69d4b1c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5A6BA CVE: NA -------------------------------- [ Upstream commit f2dd495a ] Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios coming before the TCP window tracking, otherwise such connections will fail in the window check. Update tcp_options() to leave this flag in place and add a new helper function to reset the tcp window state. Based on patch from Sven Auhagen. Fixes: c4832c7b ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking") Tested-by: N Sven Auhagen <sven.auhagen@voleatech.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
4ae881eb · Pablo Neira Ayuso · Yongqiang Liu · a7dfa2e2 · 4ae881eb
隐藏空白更改
内联并排

Showing with 13 addition and 4 deletion

net/netfilter/nf_conntrack_proto_tcp.c net/netfilter/nf_conntrack_proto_tcp.c +13 -4

未找到文件。
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -357,8 +357,8 @@ static void tcp_options(const struct sk_buff *skb,
 				 length, buff);
 	BUG_ON(ptr == NULL);
-	state->td_scale =
+	state->td_scale = 0;
-	state->flags = 0;
+	state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL;
 	while (length > 0) {
 		int opcode=*ptr++;
@@ -779,6 +779,16 @@ static bool nf_conntrack_tcp_established(const struct nf_conn *ct)
 	       test_bit(IPS_ASSURED_BIT, &ct->status);
 }
+static void nf_ct_tcp_state_reset(struct ip_ct_tcp_state *state)
+{
+	state->td_end		= 0;
+	state->td_maxend	= 0;
+	state->td_maxwin	= 0;
+	state->td_maxack	= 0;
+	state->td_scale		= 0;
+	state->flags		&= IP_CT_TCP_FLAG_BE_LIBERAL;
+}
 /* Returns verdict for packet, or -1 for invalid. */
 static int tcp_packet(struct nf_conn *ct,
 		      const struct sk_buff *skb,
@@ -877,8 +887,7 @@ static int tcp_packet(struct nf_conn *ct,
 			ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
 			ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
 				ct->proto.tcp.last_flags;
-			memset(&ct->proto.tcp.seen[dir], 0,
+			nf_ct_tcp_state_reset(&ct->proto.tcp.seen[dir]);
-			       sizeof(struct ip_ct_tcp_state));
 			break;
 		}
 		ct->proto.tcp.last_index = index;