From: Eric Dumazet <[email protected]>
Date: Wed, 1 Jul 2020 12:41:23 -0700
> Whenever cookie_init_timestamp() has been used to encode
> ECN,SACK,WSCALE options, we can not remove the TS option in the SYNACK.
>
> Otherwise, tcp_synack_options() will still advertize options like WSCALE
> that we can not deduce later when receiving the packet from the client
> to complete 3WHS.
>
> Note that modern linux TCP stacks wont use MD5+TS+SACK in a SYN packet,
> but we can not know for sure that all TCP stacks have the same logic.
>
> Before the fix a tcpdump would exhibit this wrong exchange :
>
> 10:12:15.464591 IP C > S: Flags [S], seq 4202415601, win 65535, options
> [nop,nop,md5 valid,mss 1400,sackOK,TS val 456965269 ecr 0,nop,wscale 8],
> length 0
> 10:12:15.464602 IP S > C: Flags [S.], seq 253516766, ack 4202415602, win
> 65535, options [nop,nop,md5 valid,mss 1400,nop,nop,sackOK,nop,wscale 8],
> length 0
> 10:12:15.464611 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5
> valid], length 0
> 10:12:15.464678 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options
> [nop,nop,md5 valid], length 12
> 10:12:15.464685 IP S > C: Flags [.], ack 13, win 65535, options [nop,nop,md5
> valid], length 0
>
> After this patch the exchange looks saner :
>
> 11:59:59.882990 IP C > S: Flags [S], seq 517075944, win 65535, options
> [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508483 ecr 0,nop,wscale 8],
> length 0
> 11:59:59.883002 IP S > C: Flags [S.], seq 1902939253, ack 517075945, win
> 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508479 ecr
> 1751508483,nop,wscale 8], length 0
> 11:59:59.883012 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5
> valid,nop,nop,TS val 1751508483 ecr 1751508479], length 0
> 11:59:59.883114 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options
> [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508479], length 12
> 11:59:59.883122 IP S > C: Flags [.], ack 13, win 256, options [nop,nop,md5
> valid,nop,nop,TS val 1751508483 ecr 1751508483], length 0
> 11:59:59.883152 IP S > C: Flags [P.], seq 1:13, ack 13, win 256, options
> [nop,nop,md5 valid,nop,nop,TS val 1751508484 ecr 1751508483], length 12
> 11:59:59.883170 IP C > S: Flags [.], ack 13, win 256, options [nop,nop,md5
> valid,nop,nop,TS val 1751508484 ecr 1751508484], length 0
>
> Of course, no SACK block will ever be added later, but nothing should break.
> Technically, we could remove the 4 nops included in MD5+TS options,
> but again some stacks could break seeing not conventional alignment.
>
> Fixes: 4957faade11b ("TCPCT part 1g: Responder Cookie => Initiator")
I really love the archaeology of such artifacts :-)
> Signed-off-by: Eric Dumazet <[email protected]>
Applied and queued up for -stable, thanks.
