From: "Gix, Brian" <brian.gix@intel.com>
To: "michal.lowas-rzechonek@silvair.com"
<michal.lowas-rzechonek@silvair.com>
Cc: "istotlan@ingas-xps13.amr.corp.intel.com"
<istotlan@ingas-xps13.amr.corp.intel.com>,
"jakub.witowski@silvair.com" <jakub.witowski@silvair.com>,
"linux-bluetooth@vger.kernel.org"
<linux-bluetooth@vger.kernel.org>
Subject: Re: [PATCH 0/1] Sequence number out of range fix
Date: Wed, 15 Jan 2020 21:21:49 +0000 [thread overview]
Message-ID: <456a42fe1d521b9c61bb54bacbddf7b99573df5f.camel@intel.com> (raw)
In-Reply-To: <20200115210414.fvywao5evmbx5725@kynes>
On Wed, 2020-01-15 at 22:04 +0100, michal.lowas-rzechonek@silvair.com wrote:
> Hi Brian,
>
> On 01/15, Gix, Brian wrote:
> > > Good point. Note that his is also possible in the current
> > > implementation: since seq_num is applied to nonce with a 24bit mask,
> > > it's going to wrap around.
> >
> > The full IV Index is in the nonce, and at 192 hours per IV index, will
> > be unique for something like 1.4 million years.
>
> Yes it is, but that's not the point.
>
> At the moment, net->seq_num is a 32 bit value that *can* exceed 24bit
> range, because mesh_net_next_seq_num() doesn't check ranges. So the
> raw value can reach 0x1000000 and above.
>
> Now, this raw value is used in send_seg, passed to
> mesh_crypto_packet_build, which effectively applies a 24bit mask in line
> 640:
Yes, we should definitely be sanity checking this, and not sending if SeqNum out of range.
>
> l_put_be32(seq, packet + 1);
> packet[1] = (ctl ? CTL : 0) | (ttl & TTL_MASK);
>
> So this means that when:
>
> - the network is already in iv update (so that you can't increase the
> iv_index, maybe you even started the procedure yourself because your
> seq_num is above the threshold)
>
> - your sequence number is sufficiently large (because of the "repeated
> crash" scenario described below)
I think if we are repeatedly crashing, and it is causing a runaway sequence number increase, that being
forbidden to send more packets is a natural consequence, and people should fix the code that was causing the
crash in the first place.
>
> Then the actual value used in the nonce will be net->seq_num & 0xffffff,
> which is something you have *already* used before. All of that happens
> with the same IV index.
>
> > The over commit is calculated based on the usage rate, and the daemon
> > would need to unexpectedly abort (not just ctrl-c or exit) for us to
> > use the over-commit value
>
> Indeed, that's precisely what I'm talking about - repeated, unhandled
> process terminations. We're trying to come up with the patch simply
> because this situation has *already happened* on one of our instances.
>
next prev parent reply other threads:[~2020-01-15 21:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-15 17:08 [PATCH 0/1] Sequence number out of range fix Jakub Witowski
2020-01-15 17:08 ` [PATCH 1/1] mesh: sequence " Jakub Witowski
2020-01-15 18:35 ` [PATCH 0/1] Sequence " Gix, Brian
2020-01-15 19:09 ` michal.lowas-rzechonek
2020-01-15 19:53 ` Gix, Brian
2020-01-15 21:04 ` michal.lowas-rzechonek
2020-01-15 21:21 ` Gix, Brian [this message]
2020-01-15 22:02 ` michal.lowas-rzechonek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=456a42fe1d521b9c61bb54bacbddf7b99573df5f.camel@intel.com \
--to=brian.gix@intel.com \
--cc=istotlan@ingas-xps13.amr.corp.intel.com \
--cc=jakub.witowski@silvair.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=michal.lowas-rzechonek@silvair.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).