Commit 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack
Mitigation") quotes RFC 5961 Section 5.2 in full, which requires
that any incoming segment whose ACK value falls outside
[SND.UNA - MAX.SND.WND, SND.NXT] MUST be discarded and an ACK sent
back. Linux currently sends that challenge ACK only on the lower
edge (SEG.ACK < SND.UNA - MAX.SND.WND); on the symmetric upper edge
(SEG.ACK > SND.NXT) the segment is silently dropped with
SKB_DROP_REASON_TCP_ACK_UNSENT_DATA.
Patch 1 completes the mitigation by emitting a rate-limited challenge
ACK on that branch, reusing tcp_send_challenge_ack() and honouring
FLAG_NO_CHALLENGE_ACK for consistency with the lower-edge case. It
also updates the existing tcp_ts_recent_invalid_ack.pkt selftest,
which drives this exact path, to consume the new challenge ACK so
bisect stays clean.
Patch 2 adds a new packetdrill selftest that exercises RFC 5961
Section 5.2 on both edges of the acceptable window, filling a gap in
the selftests tree (neither edge had dedicated coverage before).
---
Changelog
=========
v1 -> v2:
- Add Reviewed-by tag.
- Fold the tcp_ts_recent_invalid_ack.pkt update into patch 1 so
that bisect stays clean and the fix is self-contained for
backport.
- Extend the new selftest to cover both edges of RFC 5961
Section 5.2 (SEG.ACK > SND.NXT and SEG.ACK < SND.UNA -
MAX.SND.WND) in a single connection, and rename it to
tcp_rfc5961_ack-out-of-window.pkt. Neither edge had explicit
packetdrill coverage before.
v1:
https://lore.kernel.org/netdev/[email protected]/
Jiayuan Chen (2):
tcp: send a challenge ACK on SEG.ACK > SND.NXT
selftests/net: packetdrill: cover RFC 5961 5.2 challenge ACK on both
edges
net/ipv4/tcp_input.c | 10 ++--
.../tcp_rfc5961_ack-out-of-window.pkt | 46 +++++++++++++++++++
.../packetdrill/tcp_ts_recent_invalid_ack.pkt | 4 +-
3 files changed, 56 insertions(+), 4 deletions(-)
create mode 100644
tools/testing/selftests/net/packetdrill/tcp_rfc5961_ack-out-of-window.pkt
--
2.43.0
