Re: [PATCH] tcp: md5: Fix overlap between vrf and non-vrf keys

From: Leonard Crestez
Date: Thu Oct 07 2021 - 02:41:51 EST

Next message: Liu Bo: "Re: [PATCH v3 2/2] erofs: add multiple device support"
Previous message: Hao Sun: "Re: kernel BUG in block_invalidatepage"
In reply to: David Ahern: "Re: [PATCH] tcp: md5: Fix overlap between vrf and non-vrf keys"
Next in thread: David Ahern: "Re: [PATCH] tcp: md5: Fix overlap between vrf and non-vrf keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 07.10.2021 04:14, David Ahern wrote:

On 10/6/21 11:48 AM, Leonard Crestez wrote:

@@ -1103,11 +1116,11 @@ static struct tcp_md5sig_key *tcp_md5_do_lookup_exact(const struct sock *sk,
#endif
hlist_for_each_entry_rcu(key, &md5sig->head, node,
lockdep_sock_is_held(sk)) {
if (key->family != family)
continue;
- if (key->l3index && key->l3index != l3index)
+ if (key->l3index != l3index)

That seems like the bug fix there. The L3 reference needs to match for
new key and existing key. I think the same change is needed in
__tcp_md5_do_lookup.

Current behavior is that keys added without tcpm_ifindex will match connections both inside and outside VRFs. Changing this might break real applications, is it really OK to claim that this behavior was a bug all along?

The approach with most backward compatibility would be to add a new flag for keys that only match non-vrf connections.

Alternatively (TCP_MD5SIG_FLAG_IFINDEX && tcpm_ifindex == 0) could be defined as "only non-vrf connections" while TCP_MD5SIG_FLAG_IFINDEX missing could be "either".

--
Regards,
Leonard

Next message: Liu Bo: "Re: [PATCH v3 2/2] erofs: add multiple device support"
Previous message: Hao Sun: "Re: kernel BUG in block_invalidatepage"
In reply to: David Ahern: "Re: [PATCH] tcp: md5: Fix overlap between vrf and non-vrf keys"
Next in thread: David Ahern: "Re: [PATCH] tcp: md5: Fix overlap between vrf and non-vrf keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]