leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
535a57a7ff
linux/include
History
sewookseo e22aa14866 net: Find dst with sk's xfrm policy not ctl_sk 
If we set XFRM security policy by calling setsockopt with option
IPV6_XFRM_POLICY, the policy will be stored in 'sock_policy' in 'sock'
struct. However tcp_v6_send_response doesn't look up dst_entry with the
actual socket but looks up with tcp control socket. This may cause a
problem that a RST packet is sent without ESP encryption & peer's TCP
socket can't receive it.
This patch will make the function look up dest_entry with actual socket,
if the socket has XFRM policy(sock_policy), so that the TCP response
packet via this function can be encrypted, & aligned on the encrypted
TCP socket.

Tested: We encountered this problem when a TCP socket which is encrypted
in ESP transport mode encryption, receives challenge ACK at SYN_SENT
state. After receiving challenge ACK, TCP needs to send RST to
establish the socket at next SYN try. But the RST was not encrypted &
peer TCP socket still remains on ESTABLISHED state.
So we verified this with test step as below.
[Test step]
1. Making a TCP state mismatch between client(IDLE) & server(ESTABLISHED).
2. Client tries a new connection on the same TCP ports(src & dst).
3. Server will return challenge ACK instead of SYN,ACK.
4. Client will send RST to server to clear the SOCKET.
5. Client will retransmit SYN to server on the same TCP ports.
[Expected result]
The TCP connection should be established.

Cc: Maciej Żenczykowski <maze@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Sehee Lee <seheele@google.com>
Signed-off-by: Sewook Seo <sewookseo@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-07-11 13:39:56 +01:00
..
acpi cxl for 5.19 2022-05-27 21:24:19 -07:00
asm-generic kernel: add platform_has() infrastructure 2022-06-06 08:06:00 +02:00
clocksource pwm: Changes for v5.19-rc1 2022-06-01 10:49:11 -07:00
crypto
drm drm/ttm: fix bulk move handling v2 2022-06-14 11:15:19 +02:00
dt-bindings dt-bindings: net: pcs: add bindings for Renesas RZ/N1 MII converter 2022-06-27 11:37:55 +01:00
keys certs: Move load_certificate_list() to be with the asymmetric keys code 2022-06-21 16:05:06 +01:00
kunit
kvm
linux Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-07-09 12:24:16 -07:00
math-emu
media
memory
misc
net net: Find dst with sk's xfrm policy not ctl_sk 2022-07-11 13:39:56 +01:00
pcmcia
ras
rdma RDMA/core: Fix typo in comment 2022-05-24 11:24:58 -03:00
scsi SCSI misc on 20220524 2022-05-25 19:09:48 -07:00
soc net: dsa: felix: keep reference on entire tc-taprio config 2022-06-30 21:18:15 -07:00
sound ASoC: Remove unused hw_write_t type 2022-06-24 16:21:41 +01:00
target SCSI misc on 20220524 2022-05-25 19:09:48 -07:00
trace Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-06-30 16:31:00 -07:00
uapi Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-07-09 12:24:16 -07:00
ufs scsi: ufs: Split the drivers/scsi/ufs directory 2022-05-19 20:27:37 -04:00
vdso
video video: fbdev: radeon: Fix spelling typo in comment 2022-05-26 13:38:59 +02:00
xen arm/xen: Assign xen-grant DMA ops for xen-grant DMA devices 2022-06-06 16:07:30 +02:00