5 Nov
2021
5 Nov
'21
6:09 a.m.
On 11/5/21 4:08 AM, Dmitry Safonov wrote:
On 11/1/21 16:34, Leonard Crestez wrote: [..]
+/* Find TCP_AUTHOPT in header.
- Returns pointer to TCP_AUTHOPT or NULL if not found.
- */
+static u8 *tcp_authopt_find_option(struct tcphdr *th) +{
- int length = (th->doff << 2) - sizeof(*th);
- u8 *ptr = (u8 *)(th + 1);
- while (length >= 2) {
int opcode = *ptr++;int opsize;switch (opcode) {case TCPOPT_EOL:return NULL;case TCPOPT_NOP:length--;continue;default:if (length < 2)return NULL;^ never true, as checked by the loop condition
opsize = *ptr++;if (opsize < 2)return NULL;if (opsize > length)return NULL;if (opcode == TCPOPT_AUTHOPT)return ptr - 2;}ptr += opsize - 2;length -= opsize;- }
- return NULL;
+}
Why copy'n'pasting tcp_parse_md5sig_option(), rather than adding a new argument to the function?
No good reason.
There is a requirement in RFC5925 that packets with both AO and MD5 signatures be dropped. This currently works but the implementation is convoluted: after an AO signature is found an error is returned if MD5 is also present.
A better solution would be to do a single scan for both options up front, for example in tcp_{v4,v6}_auth_inbound_check
-- Regards, Leonard