Commit 12083d72 authored Dec 04, 2023 by Dmitry Safonov Committed by Paolo Abeni Dec 06, 2023

net/tcp: Don't add key with non-matching VRF on connected sockets



If the connection was established, don't allow adding TCP-AO keys that
don't match the peer. Currently, there are checks for ip-address
matching, but L3 index check is missing. Add it to restrict userspace
shooting itself somewhere.

Yet, nothing restricts the CAP_NET_RAW user from trying to shoot
themselves by performing setsockopt(SO_BINDTODEVICE) or
setsockopt(SO_BINDTOIFINDEX) over an established TCP-AO connection.
So, this is just "minimum effort" to potentially save someone's
debugging time, rather than a full restriction on doing weird things.

Fixes: 248411b8 ("net/tcp: Wire up l3index to TCP-AO")
Signed-off-by: Dmitry Safonov <dima@arista.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent 965c00e4

net/ipv4/tcp_ao.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -1608,6 +1608,15 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family,
		if (!dev \|\| !l3index)
		return -EINVAL;

		if (!bound_dev_if \|\| bound_dev_if != cmd.ifindex) {
		/* tcp_ao_established_key() doesn't expect having
		* non peer-matching key on an established TCP-AO
		* connection.
		*/
		if (!((1 << sk->sk_state) & (TCPF_LISTEN \| TCPF_CLOSE)))
		return -EINVAL;
		}

		/* It's still possible to bind after adding keys or even
		* re-bind to a different dev (with CAP_NET_RAW).
		* So, no reason to return error here, rather try to be