Commit 24481a7f authored by David Howells's avatar David Howells Committed by Jakub Kicinski
Browse files

rxrpc: Fix conn-level packet handling to unshare RESPONSE packets 

The security operations that verify the RESPONSE packets decrypt bits of it
in place - however, the sk_buff may be shared with a packet sniffer, which
would lead to the sniffer seeing an apparently corrupt packet (actually
decrypted).

Fix this by handing a copy of the packet off to the specific security
handler if the packet was cloned.

Fixes: 17926a79 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com


Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 1f274015

net/rxrpc/conn_event.c

+28 −1
Original line number Diff line number Diff line
@@ -240,6 +240,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call) 
		rxrpc_notify_socket(call);

}



static int rxrpc_verify_response(struct rxrpc_connection *conn,

				 struct sk_buff *skb)

{

	int ret;



	if (skb_cloned(skb)) {

		/* Copy the packet if shared so that we can do in-place

		 * decryption.

		 */

		struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);



		if (nskb) {

			rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);

			ret = conn->security->verify_response(conn, nskb);

			rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);

		} else {

			/* OOM - Drop the packet. */

			rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);

			ret = -ENOMEM;

		}

	} else {

		ret = conn->security->verify_response(conn, skb);

	}



	return ret;

}



/*

 * connection-level Rx packet processor

 */
@@ -270,7 +297,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, 
		}

		spin_unlock_irq(&conn->state_lock);



		ret = conn->security->verify_response(conn, skb);

		ret = rxrpc_verify_response(conn, skb);

		if (ret < 0)

			return ret;