tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tcp: md5: Fix overlap between vrf and non-vrf keys

With net.ipv4.tcp_l3mdev_accept=1 it is possible for a listen socket to
accept connection from the same client address in different VRFs. It is
also possible to set different MD5 keys for these clients which differ
only in the tcpm_l3index field.

This appears to work when distinguishing between different VRFs but not
between non-VRF and VRF connections. In particular:

* tcp_md5_do_lookup_exact will match a non-vrf key against a vrf key.
This means that adding a key with l3index != 0 after a key with l3index
== 0 will cause the earlier key to be deleted. Both keys can be present
if the non-vrf key is added later.
* _tcp_md5_do_lookup can match a non-vrf key before a vrf key. This
casues failures if the passwords differ.

Fix this by making tcp_md5_do_lookup_exact perform an actual exact
comparison on l3index and by making __tcp_md5_do_lookup perfer
vrf-bound keys above other considerations like prefixlen.

Fixes: dea53bb80e07 ("tcp: Add l3index to tcp_md5sig_key and md5 functions")
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Leonard Crestez and committed by
David S. Miller 86f1e3a8 46393d61

+16 -3
+16 -3
net/ipv4/tcp_ipv4.c
··· 1037 1037 DEFINE_STATIC_KEY_FALSE(tcp_md5_needed); 1038 1038 EXPORT_SYMBOL(tcp_md5_needed); 1039 1039 1040 + static bool better_md5_match(struct tcp_md5sig_key *old, struct tcp_md5sig_key *new) 1041 + { 1042 + if (!old) 1043 + return true; 1044 + 1045 + /* l3index always overrides non-l3index */ 1046 + if (old->l3index && new->l3index == 0) 1047 + return false; 1048 + if (old->l3index == 0 && new->l3index) 1049 + return true; 1050 + 1051 + return old->prefixlen < new->prefixlen; 1052 + } 1053 + 1040 1054 /* Find the Key structure for an address. */ 1041 1055 struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index, 1042 1056 const union tcp_md5_addr *addr, ··· 1088 1074 match = false; 1089 1075 } 1090 1076 1091 - if (match && (!best_match || 1092 - key->prefixlen > best_match->prefixlen)) 1077 + if (match && better_md5_match(best_match, key)) 1093 1078 best_match = key; 1094 1079 } 1095 1080 return best_match; ··· 1118 1105 lockdep_sock_is_held(sk)) { 1119 1106 if (key->family != family) 1120 1107 continue; 1121 - if (key->l3index && key->l3index != l3index) 1108 + if (key->l3index != l3index) 1122 1109 continue; 1123 1110 if (!memcmp(&key->addr, addr, size) && 1124 1111 key->prefixlen == prefixlen)