Message ID | 1491132259.10124.3.camel@edumazet-glaptop3.roam.corp.google.com |
---|---|
State | Awaiting Upstream, archived |
Delegated to: | David Miller |
Headers | show |
Eric Dumazet <eric.dumazet@gmail.com> wrote: > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { > + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { > if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) { > u_int16_t oldmss; maybe I am low on caffeeine but this looks fine, for tcp header with only tcpmss this boils down to "20 <= 24 - 4" so we acccess offsets 20-23 which seems ok.
On 2017-04-02 14:45, Florian Westphal wrote: > Eric Dumazet <eric.dumazet@gmail.com> wrote: >> - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += >> optlen(opt, i)) { >> + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i += >> optlen(opt, i)) { >> if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) { >> u_int16_t oldmss; > > maybe I am low on caffeeine but this looks fine, for tcp header with > only tcpmss this boils down to "20 <= 24 - 4" so we acccess offsets > 20-23 which seems ok. It seems some non-standard(or corrupted) packets are passing, because even on ~1G server it might cause corruption once per several days, KASAN seems need less time to trigger. I am not aware how things working, but: [25181.875696] Memory state around the buggy address: [25181.875919] ffff8802975fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [25181.876275] ffff880297600000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [25181.876628] >ffff880297600080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [25181.876984] ^ [25181.877203] ffff880297600100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [25181.877569] ffff880297600180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Why all data here is zero? I guess it should be some packet data?
On Sun, 2017-04-02 at 13:45 +0200, Florian Westphal wrote: > Eric Dumazet <eric.dumazet@gmail.com> wrote: > > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { > > + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { > > if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) { > > u_int16_t oldmss; > > maybe I am low on caffeeine but this looks fine, for tcp header with > only tcpmss this boils down to "20 <= 24 - 4" so we acccess offsets 20-23 which seems ok. I am definitely low on caffeine ;) An issue in this function is that we might add the missing MSS option, without checking that TCP options are already full. But this should not cause a KASAN splat, only some malformed TCP packet (tcph->doff would wrap)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 27241a767f17b4b27d24095a31e5e9a2d3e29ce4..81731866c921932318555414b497e37b0649114a 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -122,7 +122,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, newmss = info->mss; opt = (u_int8_t *)tcph; - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) { u_int16_t oldmss;