From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
To: <davem@davemloft.net>, <kuznet@ms2.inr.ac.ru>,
<yoshfuji@linux-ipv6.org>, <edumazet@google.com>
Cc: <kuniyu@amazon.co.jp>, <kuni1840@gmail.com>,
<netdev@vger.kernel.org>, <osa-contribution-log@amazon.com>
Subject: [PATCH v2 net-next 3/3] tcp: Prevent port hijacking when ports are exhausted.
Date: Wed, 26 Feb 2020 16:46:31 +0900 [thread overview]
Message-ID: <20200226074631.67688-4-kuniyu@amazon.co.jp> (raw)
In-Reply-To: <20200226074631.67688-1-kuniyu@amazon.co.jp>
If all of the sockets bound to the same port have SO_REUSEADDR and
SO_REUSEPORT enabled, any other user can hijack the port by exhausting all
ephemeral ports, binding sockets to (addr, 0) and calling listen().
If both of SO_REUSEADDR and SO_REUSEPORT are enabled, the restriction of
SO_REUSEPORT should be taken into account so that can only one socket be in
TCP_LISTEN.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
---
net/ipv4/inet_connection_sock.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index cddeab240ea6..d27ed5fe7147 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -131,7 +131,7 @@ static int inet_csk_bind_conflict(const struct sock *sk,
{
struct sock *sk2;
bool reuse = sk->sk_reuse;
- bool reuseport = !!sk->sk_reuseport && reuseport_ok;
+ bool reuseport = !!sk->sk_reuseport;
kuid_t uid = sock_i_uid((struct sock *)sk);
/*
@@ -148,10 +148,16 @@ static int inet_csk_bind_conflict(const struct sock *sk,
sk->sk_bound_dev_if == sk2->sk_bound_dev_if)) {
if (reuse && sk2->sk_reuse &&
sk2->sk_state != TCP_LISTEN) {
- if (!relax &&
+ if ((!relax ||
+ (!reuseport_ok &&
+ reuseport && sk2->sk_reuseport &&
+ !rcu_access_pointer(sk->sk_reuseport_cb) &&
+ (sk2->sk_state == TCP_TIME_WAIT ||
+ uid_eq(uid, sock_i_uid(sk2))))) &&
inet_rcv_saddr_equal(sk, sk2, true))
break;
- } else if (!reuseport || !sk2->sk_reuseport ||
+ } else if (!reuseport_ok ||
+ !reuseport || !sk2->sk_reuseport ||
rcu_access_pointer(sk->sk_reuseport_cb) ||
(sk2->sk_state != TCP_TIME_WAIT &&
!uid_eq(uid, sock_i_uid(sk2)))) {
--
2.17.2 (Apple Git-113)
next prev parent reply other threads:[~2020-02-26 7:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-26 7:46 [PATCH v2 net-next 0/3] Improve bind(addr, 0) behaviour Kuniyuki Iwashima
2020-02-26 7:46 ` [PATCH v2 net-next 1/3] tcp: Remove unnecessary conditions in inet_csk_bind_conflict() Kuniyuki Iwashima
2020-02-26 7:46 ` [PATCH v2 net-next 2/3] tcp: bind(addr, 0) remove the SO_REUSEADDR restriction when ephemeral ports are exhausted Kuniyuki Iwashima
2020-02-26 7:46 ` Kuniyuki Iwashima [this message]
2020-02-26 17:47 ` [PATCH v2 net-next 3/3] tcp: Prevent port hijacking when " Eric Dumazet
2020-02-29 18:37 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200226074631.67688-4-kuniyu@amazon.co.jp \
--to=kuniyu@amazon.co.jp \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuni1840@gmail.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=osa-contribution-log@amazon.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).