tcp: md5: Fix overlap between vrf and non-vrf keys

stable inclusion from stable-5.10.76 commit 38d984e5e845b2c0ec87e396c3f3771b4187990f bugzilla: 182988 https://gitee.com/openeuler/kernel/issues/I4IAHF Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=38d984e5e845b2c0ec87e396c3f3771b4187990f -------------------------------- [ Upstream commit 86f1e3a8 ] With net.ipv4.tcp_l3mdev_accept=1 it is possible for a listen socket to accept connection from the same client address in different VRFs. It is also possible to set different MD5 keys for these clients which differ only in the tcpm_l3index field. This appears to work when distinguishing between different VRFs but not between non-VRF and VRF connections. In particular: * tcp_md5_do_lookup_exact will match a non-vrf key against a vrf key. This means that adding a key with l3index != 0 after a key with l3index == 0 will cause the earlier key to be deleted. Both keys can be present if the non-vrf key is added later. * _tcp_md5_do_lookup can match a non-vrf key before a vrf key. This casues failures if the passwords differ. Fix this by making tcp_md5_do_lookup_exact perform an actual exact comparison on l3index and by making __tcp_md5_do_lookup perfer vrf-bound keys above other considerations like prefixlen. Fixes: dea53bb8 ("tcp: Add l3index to tcp_md5sig_key and md5 functions") Signed-off-by: N Leonard Crestez <cdleonard@gmail.com> Reviewed-by: N David Ahern <dsahern@kernel.org> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

tcp: md5: Fix overlap between vrf and non-vrf keys
stable inclusion from stable-5.10.76 commit 38d984e5e845b2c0ec87e396c3f3771b4187990f bugzilla: 182988 https://gitee.com/openeuler/kernel/issues/I4IAHF Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=38d984e5e845b2c0ec87e396c3f3771b4187990f -------------------------------- [ Upstream commit 86f1e3a8 ] With net.ipv4.tcp_l3mdev_accept=1 it is possible for a listen socket to accept connection from the same client address in different VRFs. It is also possible to set different MD5 keys for these clients which differ only in the tcpm_l3index field. This appears to work when distinguishing between different VRFs but not between non-VRF and VRF connections. In particular: * tcp_md5_do_lookup_exact will match a non-vrf key against a vrf key. This means that adding a key with l3index != 0 after a key with l3index == 0 will cause the earlier key to be deleted. Both keys can be present if the non-vrf key is added later. * _tcp_md5_do_lookup can match a non-vrf key before a vrf key. This casues failures if the passwords differ. Fix this by making tcp_md5_do_lookup_exact perform an actual exact comparison on l3index and by making __tcp_md5_do_lookup perfer vrf-bound keys above other considerations like prefixlen. Fixes: dea53bb8 ("tcp: Add l3index to tcp_md5sig_key and md5 functions") Signed-off-by: N Leonard Crestez <cdleonard@gmail.com> Reviewed-by: N David Ahern <dsahern@kernel.org> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
4eb714c4 · Leonard Crestez · Zheng Zengkai · 66f1efe7 · 4eb714c4
显示空白变更内容
内联并排

Showing with 16 addition and 3 deletion

net/ipv4/tcp_ipv4.c net/ipv4/tcp_ipv4.c +16 -3

未找到文件。
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1022,6 +1022,20 @@ static void tcp_v4_reqsk_destructor(struct request_sock *req)
 DEFINE_STATIC_KEY_FALSE(tcp_md5_needed);
 EXPORT_SYMBOL(tcp_md5_needed);

+static bool better_md5_match(struct tcp_md5sig_key *old, struct tcp_md5sig_key *new)
+{
+	if (!old)
+		return true;
+
+	/* l3index always overrides non-l3index */
+	if (old->l3index && new->l3index == 0)
+		return false;
+	if (old->l3index == 0 && new->l3index)
+		return true;
+
+	return old->prefixlen < new->prefixlen;
+}
+
 /* Find the Key structure for an address.  */
 struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index,
 					   const union tcp_md5_addr *addr,
@@ -1059,8 +1073,7 @@ struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index,
 			match = false;
 		}

-		if (match && (!best_match ||
-			      key->prefixlen > best_match->prefixlen))
+		if (match && better_md5_match(best_match, key))
 			best_match = key;
 	}
 	return best_match;
@@ -1090,7 +1103,7 @@ static struct tcp_md5sig_key *tcp_md5_do_lookup_exact(const struct sock *sk,
 				 lockdep_sock_is_held(sk)) {
 		if (key->family != family)
 			continue;
-		if (key->l3index && key->l3index != l3index)
+		if (key->l3index != l3index)
 			continue;
 		if (!memcmp(&key->addr, addr, size) &&
 		    key->prefixlen == prefixlen)