Differential D35532

Unlock inp when handling TCP_MD5SIG socket options
ClosedPublic
Actions

Authored by thj on Jun 20 2022, 1:15 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sun, Apr 21, 4:30 PM

	Unknown Object (File)
	Feb 10 2024, 6:07 PM

	Unknown Object (File)
	Jan 31 2024, 1:35 AM

	Unknown Object (File)
	Jan 31 2024, 1:35 AM

	Unknown Object (File)
	Dec 22 2023, 9:34 PM

	Unknown Object (File)
	Dec 16 2023, 1:41 AM

	Unknown Object (File)
	Nov 30 2023, 3:19 PM

	Unknown Object (File)
	Nov 30 2023, 3:19 PM

View All 50 Files

Subscribers

Details

Reviewers

ae
jhb
rscheff
tuexen

Group Reviewers

transport
Klara

Commits

rGdc2e12abb22a: Unlock inp when handling TCP_MD5SIG socket options
rG795888971628: Add tests for TCP_MD5 getsockopt
rG97453e5e7258: Unlock inp when handling TCP_MD5SIG socket options

Summary

Unlock the inp when hanlding TCP_MD5SIG socket options. tcp_ipsec_pcbctl
handles locking the inp when the option is being modified.

This was found by Claudio Jeker while OpenBGPd and the fix is from him.

On 14 we get a panic when trying to call getsockopt, on 13.1 the process locks
up using 100% CPU.

Test Plan

The following test case exercises the behaviour with the tcpmd5 kernel module
loaded.

#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>

#include <err.h>

int
main(int argc, char **argv)
{
        struct sockaddr_in s = { 0 };
        socklen_t len;
        int fd, opt;

        if ((fd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
                err(1, "socket");

        s.sin_family = AF_INET;
        s.sin_len = sizeof(s);
        s.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        s.sin_port = htons(22);
        if (connect(fd, (struct sockaddr *)&s, sizeof(s)) == -1)
                err(1, "connect");

        if (getsockopt(fd, IPPROTO_TCP, TCP_MD5SIG, &opt, &len) == -1)
                err(1, "getsockopt");

        return opt;
}

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

thj created this revision.Jun 20 2022, 1:15 PM

Herald added 1 blocking reviewer(s): transport. · View Herald TranscriptJun 20 2022, 1:15 PM

Herald added subscribers: glebius, melifaro, imp. · View Herald Transcript

thj requested review of this revision.Jun 20 2022, 1:15 PM

Harbormaster completed remote builds in B46040: Diff 107188.Jun 20 2022, 1:16 PM

rscheff accepted this revision.Jun 20 2022, 1:35 PM

This revision is now accepted and ready to land.Jun 20 2022, 1:35 PM

tuexen accepted this revision.Jun 20 2022, 2:10 PM

Would it be possible to add the testcase for both IPv4 and IPv6?

Add test cases for getsockopt

This revision now requires review to proceed.Jun 22 2022, 3:06 PM

Herald added a subscriber: asomers. · View Herald TranscriptJun 22 2022, 3:06 PM

Harbormaster completed remote builds in B46061: Diff 107246.Jun 22 2022, 3:06 PM

rscheff accepted this revision.Jun 22 2022, 4:29 PM

This revision is now accepted and ready to land.Jun 22 2022, 4:29 PM

Correct copyright

This revision now requires review to proceed.Jun 23 2022, 2:48 PM

Harbormaster completed remote builds in B46094: Diff 107296.Jun 23 2022, 2:48 PM

This revision was not accepted when it landed; it landed in state Needs Review.Jun 23 2022, 2:59 PM

Closed by commit rG97453e5e7258: Unlock inp when handling TCP_MD5SIG socket options (authored by Claudio Jeker <claudio@openbsd.org>, committed by thj). · Explain Why

This revision was automatically updated to reflect the committed changes.

thj added a commit: rG97453e5e7258: Unlock inp when handling TCP_MD5SIG socket options.

thj added a commit: rG795888971628: Add tests for TCP_MD5 getsockopt.

thj added a commit: rGdc2e12abb22a: Unlock inp when handling TCP_MD5SIG socket options.Jul 20 2022, 3:25 PM

Revision Contents
Changeset List

Path

Size

sys/

netinet/

11 lines

Diff 107297

sys/netinet/tcp_usrreq.c

Loading...