On Wed, May 29, 2024 at 06:29:32PM +0100, Dmitry Safonov via B4 Relay wrote:
From: Dmitry Safonov 0x7f454c46@gmail.com
TCP_CLOSE may or may not have current/rnext keys and should not be considered "established". The fast-path for TCP_CLOSE is SKB_DROP_REASON_TCP_CLOSE. This is what tcp_rcv_state_process() does anyways. Add an early drop path to not spend any time verifying segment signatures for sockets in TCP_CLOSE state.
Cc: stable@vger.kernel.org # v6.7 Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments") Signed-off-by: Dmitry Safonov 0x7f454c46@gmail.com
...
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 781b67a52571..37c42b63ff99 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -933,6 +933,7 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, struct tcp_ao_key *key; __be32 sisn, disn; u8 *traffic_key;
- int state; u32 sne = 0;
Hi Dimitry,
It's probably not a good reason to respon this patch, but if you do make a v2 for some other reason, please consider reverse xmas tree order - longest line to shortest for local variable declarations - here.
I'll leave actual review of this patch to others.
...