On 04/27/2018 05:17 AM, Toke Høiland-Jørgensen wrote:
...
> +
> +static struct sk_buff *cake_ack_filter(struct cake_sched_data *q,
> + struct cake_flow *flow)
> +{
> + int seglen;
> + struct sk_buff *skb = flow->tail, *skb_check, *skb_check_prev;
> + struct iphdr *iph, *iph_check;
> + struct ipv6hdr *ipv6h, *ipv6h_check;
> + struct tcphdr *tcph, *tcph_check;
> + bool otherconn_ack_seen = false;
> + struct sk_buff *otherconn_checked_to = NULL;
> + bool thisconn_redundant_seen = false, thisconn_seen_last = false;
> + struct sk_buff *thisconn_checked_to = NULL, *thisconn_ack = NULL;
> + bool aggressive = q->ack_filter == CAKE_ACK_AGGRESSIVE;
> +
> + /* no other possible ACKs to filter */
> + if (flow->head == skb)
> + return NULL;
> +
> + iph = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb);
> + ipv6h = skb->encapsulation ? inner_ipv6_hdr(skb) : ipv6_hdr(skb);
> +
> + /* check that the innermost network header is v4/v6, and contains TCP */
> + if (pskb_may_pull(skb, ((unsigned char *)iph - skb->head) +
> sizeof(struct iphdr)) &&
> + iph->version == 4) {
> + if (iph->protocol != IPPROTO_TCP)
> + return NULL;
> + seglen = ntohs(iph->tot_len) - (4 * iph->ihl);
> + tcph = (struct tcphdr *)((void *)iph + (4 * iph->ihl));
> + if (!pskb_may_pull(skb, ((unsigned char *)tcph - skb->head) +
> sizeof(struct tcphdr)))
> + return NULL;
> + } else if (pskb_may_pull(skb, ((unsigned char *)ipv6h - skb->head) +
> sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) &&
> + ipv6h->version == 6) {
> + if (ipv6h->nexthdr != IPPROTO_TCP)
> + return NULL;
> + seglen = ntohs(ipv6h->payload_len);
> + tcph = (struct tcphdr *)((void *)ipv6h +
> + sizeof(struct ipv6hdr));
> + } else {
> + return NULL;
> + }
> +
This is still broken.
After pskb_may_pull(), skb->head might have been reallocated.
You need to recompute iph , ipv6h, tcph, otherwise you are reading freed memory
and crash kernels
with sufficient debugging (KASAN and other CONFIG_DEBUG_PAGEALLOC /
CONFIG_DEBUG_SLAB like options)
