tcp: md5: Fix overlap between vrf and non-vrf keys (86f1e3a8) · Commits · Mirrors / github.com / raspberrypi_linux

Commit 86f1e3a8 authored Oct 15, 2021 by

Leonard Crestez Committed by David S. Miller Oct 15, 2021

tcp: md5: Fix overlap between vrf and non-vrf keys



With net.ipv4.tcp_l3mdev_accept=1 it is possible for a listen socket to
accept connection from the same client address in different VRFs. It is
also possible to set different MD5 keys for these clients which differ
only in the tcpm_l3index field.

This appears to work when distinguishing between different VRFs but not
between non-VRF and VRF connections. In particular:

 * tcp_md5_do_lookup_exact will match a non-vrf key against a vrf key.
This means that adding a key with l3index != 0 after a key with l3index
== 0 will cause the earlier key to be deleted. Both keys can be present
if the non-vrf key is added later.
 * _tcp_md5_do_lookup can match a non-vrf key before a vrf key. This
casues failures if the passwords differ.

Fix this by making tcp_md5_do_lookup_exact perform an actual exact
comparison on l3index and by making  __tcp_md5_do_lookup perfer
vrf-bound keys above other considerations like prefixlen.

Fixes: dea53bb8 ("tcp: Add l3index to tcp_md5sig_key and md5 functions")
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 46393d61

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 38d984e5
· Oct 29, 2021

mentioned in commit 38d984e5

mentioned in commit 38d984e5e845b2c0ec87e396c3f3771b4187990f

Toggle commit list

Please register or to comment