netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Dumazet <edumazet@google.com>
To: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
Cc: David Miller <davem@davemloft.net>,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	kuni1840@gmail.com, netdev <netdev@vger.kernel.org>,
	osa-contribution-log@amazon.com
Subject: Re: [PATCH v2 net-next 3/3] tcp: Prevent port hijacking when ports are exhausted.
Date: Wed, 26 Feb 2020 09:47:26 -0800	[thread overview]
Message-ID: <CANn89i+m9yKkaVLUm9P8+gTSOMtvrJgsvHfKAjXCZ5_9Wf0-9w@mail.gmail.com> (raw)
In-Reply-To: <20200226074631.67688-4-kuniyu@amazon.co.jp>

On Tue, Feb 25, 2020 at 11:46 PM Kuniyuki Iwashima <kuniyu@amazon.co.jp> wrote:
>
> If all of the sockets bound to the same port have SO_REUSEADDR and
> SO_REUSEPORT enabled, any other user can hijack the port by exhausting all
> ephemeral ports, binding sockets to (addr, 0) and calling listen().
>

Yes, an user (application) can steal all ports by opening many
sockets, bind to (addr, 0) and calling listen().

This changelog is rather confusing, and your patch does not solve this
precise problem.
Patch titles are important, you are claiming something, but I fail to
see how the patch solves the problem stated in the title.

Please be more specific, and add tests officially, in tools/testing/selftests/


> If both of SO_REUSEADDR and SO_REUSEPORT are enabled, the restriction of
> SO_REUSEPORT should be taken into account so that can only one socket be in
> TCP_LISTEN.

Sorry, I do not understand this. If I do not understand the sentence,
I do not read the patch
changing one piece of code that has been very often broken in the past.

Please spend time on the changelog to give the exact outcome and goals.

Thanks.

>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
> ---
>  net/ipv4/inet_connection_sock.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
> index cddeab240ea6..d27ed5fe7147 100644
> --- a/net/ipv4/inet_connection_sock.c
> +++ b/net/ipv4/inet_connection_sock.c
> @@ -131,7 +131,7 @@ static int inet_csk_bind_conflict(const struct sock *sk,
>  {
>         struct sock *sk2;
>         bool reuse = sk->sk_reuse;
> -       bool reuseport = !!sk->sk_reuseport && reuseport_ok;
> +       bool reuseport = !!sk->sk_reuseport;
>         kuid_t uid = sock_i_uid((struct sock *)sk);
>
>         /*
> @@ -148,10 +148,16 @@ static int inet_csk_bind_conflict(const struct sock *sk,
>                      sk->sk_bound_dev_if == sk2->sk_bound_dev_if)) {
>                         if (reuse && sk2->sk_reuse &&
>                             sk2->sk_state != TCP_LISTEN) {
> -                               if (!relax &&
> +                               if ((!relax ||
> +                                    (!reuseport_ok &&
> +                                     reuseport && sk2->sk_reuseport &&
> +                                     !rcu_access_pointer(sk->sk_reuseport_cb) &&
> +                                     (sk2->sk_state == TCP_TIME_WAIT ||
> +                                      uid_eq(uid, sock_i_uid(sk2))))) &&
>                                     inet_rcv_saddr_equal(sk, sk2, true))
>                                         break;
> -                       } else if (!reuseport || !sk2->sk_reuseport ||
> +                       } else if (!reuseport_ok ||
> +                                  !reuseport || !sk2->sk_reuseport ||
>                                    rcu_access_pointer(sk->sk_reuseport_cb) ||
>                                    (sk2->sk_state != TCP_TIME_WAIT &&
>                                     !uid_eq(uid, sock_i_uid(sk2)))) {
> --
> 2.17.2 (Apple Git-113)
>

  reply	other threads:[~2020-02-26 17:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-26  7:46 [PATCH v2 net-next 0/3] Improve bind(addr, 0) behaviour Kuniyuki Iwashima
2020-02-26  7:46 ` [PATCH v2 net-next 1/3] tcp: Remove unnecessary conditions in inet_csk_bind_conflict() Kuniyuki Iwashima
2020-02-26  7:46 ` [PATCH v2 net-next 2/3] tcp: bind(addr, 0) remove the SO_REUSEADDR restriction when ephemeral ports are exhausted Kuniyuki Iwashima
2020-02-26  7:46 ` [PATCH v2 net-next 3/3] tcp: Prevent port hijacking when " Kuniyuki Iwashima
2020-02-26 17:47   ` Eric Dumazet [this message]
2020-02-29 18:37     ` Kuniyuki Iwashima

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CANn89i+m9yKkaVLUm9P8+gTSOMtvrJgsvHfKAjXCZ5_9Wf0-9w@mail.gmail.com \
    --to=edumazet@google.com \
    --cc=davem@davemloft.net \
    --cc=kuni1840@gmail.com \
    --cc=kuniyu@amazon.co.jp \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=netdev@vger.kernel.org \
    --cc=osa-contribution-log@amazon.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).