Do not drop skb to have ability to processs WINDOW_UPDATE #2274
Conversation
EvgeniiMekhanik
force-pushed
the
MekhanikEvgenii/fix-2267-next
branch
from
b60311c
to
269783c
Compare
EvgeniiMekhanik
changed the title
EvgeniiMekhanik
force-pushed
the
MekhanikEvgenii/fix-2267-next
branch
from
269783c
to
6c9235d
Compare
| case T_POSTPONE: | ||
| /* No complete TLS record seen yet. */ | ||
| spin_unlock(&tls->lock); | ||
| /* | ||
| * save_error_code is T_OK or T_BAD if error occurs | ||
| * on one of the previous steps. | ||
| */ | ||
| return save_err_code; | ||
| return T_OK; |
There was a problem hiding this comment.
Please fix the comment above.
lib/log.h
Outdated
| @@ -64,6 +64,22 @@ enum { | |||
| T_OK = 0, | |||
| }; | |||
|
|
|||
| static inline int | |||
| tfw_handle_error(int r, int *save_err_code, bool was_stopped) | |||
There was a problem hiding this comment.
lib/log.g is definitely not appropriate place for tfw_handle_error() I would propose to move it to connection.h or another place.
There was a problem hiding this comment.
Yes implement special file to this case
fw/connection.c
Outdated
| } else { | ||
| r = tfw_http_msg_process(conn, skb, &split, | ||
| save_err_code); | ||
| } |
There was a problem hiding this comment.
Braces are not necessary here
| goto out; /* connection must be dropped */ | ||
| r = SS_CALL(connection_recv, conn, skb, &tmp_save_err_code); | ||
| WARN_ON(r && tmp_save_err_code); | ||
| r = tfw_handle_error(r, &save_err_code, was_stopped); |
There was a problem hiding this comment.
We do tfw_handle_error() on tls layer and http layer why do we need it here? In my understanding, tls and http layer are responsible for error handling and here we should have only result from upper layers.
There was a problem hiding this comment.
In this function we drop unprocessed skb at the end of the function. We should not do it case of T_BAD. So we call this function here also.
| @@ -820,6 +820,9 @@ ss_tcp_process_skb(struct sock *sk, struct sk_buff *skb, int *processed) | |||
| void *conn; | |||
| struct sk_buff *skb_head = NULL; | |||
| struct tcp_sock *tp = tcp_sk(sk); | |||
| int save_err_code = SS_OK, tmp_save_err_code; | |||
There was a problem hiding this comment.
I must notice that save_err_code has life time the same ss_tcp_process_skb() it means, client can send multiple bad packets with some interval, but save_err_code will be SS_OK.
There was a problem hiding this comment.
In this case we use Conn_Stop bit. If error occurs on previous call of this function Conn_Stop bit was set.
| @@ -187,7 +185,8 @@ tfw_tls_connection_recv(TfwConn *conn, struct sk_buff *skb) | |||
| tfw_tls_purge_io_ctx(&tls->io_in); | |||
| kfree_skb(nskb); | |||
| spin_unlock(&tls->lock); | |||
| return T_BAD; | |||
| return tfw_handle_error(T_BAD, save_err_code, | |||
There was a problem hiding this comment.
Why we calling tfw_handle_error() instead of return SS_BLOCK_WITH_RST? It looks confusing, we must drop connection in case of such errors.
There was a problem hiding this comment.
This function returns T_BAD if it first error (in this case we send tcp_shutdown as it was before) or BLOCK_WITH_RST if it is a seconf error
|
@krizhanovsky I have a question. If something wen wrong and we close connection with TCP RST, we call ss_close -> ss_do_close. But ss_do_close we be called later in ss_tx_action. So if some new skbs from client come before ss_do_close will be called there will be some TLS warnings in dmesg (because we can't decrypt them). Is it ok or we should implement special flag to drop such skbs? |
EvgeniiMekhanik
force-pushed
the
MekhanikEvgenii/fix-2267-next
branch
from
6c9235d
to
06644cf
Compare
|
I've got just a cursory glance, so I might be mistaken. The logic looks a bit complex with these fine-tune flags and details. Does this work for HTTP2 only? I far as I understand, thus should not happen for HTTP. It's not obvious, not from the commit message, and not from comments in the code. Perhaps, this should be made obvious both in the code comments in appropriate places, and in the commit message. Thanks! |
EvgeniiMekhanik
force-pushed
the
MekhanikEvgenii/fix-2267-next
branch
3 times, most recently
from
6fe12a2
to
d8ddf2d
Compare
There is a lag between calling ss_close\ss_shutdown and real socket closing, because we close socket later from `ss_tx_action`. Set Conn_Stop bit to prevent any further processing if connection is closinga and this bit was not set by upper layer.
In case when error occurs we should continue to process WINDOW_UPDATE frames. If we drop skb in case of error we can't to continue decrypt new tls records and can't continue to process WINDOW_UPDATE frames. Also there are a lot of annoying TLS warnings in dmesg. This patch fixes this problems. For HTTP1 connections we stop processing new incomming messages immediately.
EvgeniiMekhanik
force-pushed
the
MekhanikEvgenii/fix-2267-next
branch
from
d8ddf2d
to
8863547
Compare
There was a problem hiding this comment.
LGTM.
Regarding TLS warnings it's not OK since it will bother users. However,
- this seems not a crucial event, so maybe we just should replace the warnings with T_DBG
- I'm worried that we put a lot of effort and add significant complexity to the code just to accept HTTP/2 WINDOW_UPDATE frames while we're sending an error message to an attacker or an unhappy client. Should we really do this? This is unlucky situation anyway. Also probably in most cases we'll be fine with the current widow and won't need to adjust it during the error response transmission. Also this could impact security since already blocked client still able to send us some messages and we do spend resources on them. We do need to process WINDOW_UPDATE on normal response transmission with closing connection, but it's debatable for error responses.
Probably we should discuss this on the next call.
| * but still continue to process rest of SKBs and parse data, | ||
| * that is dangerous. | ||
| */ | ||
| TFW_CONN_TYPE(conn) |= Conn_Stop; |
There was a problem hiding this comment.
Why do we remove the code? IIUC ss_tcp_data_ready() now sets the flag, but only after tfw_http_resp_process() call. But we benefit from earlier setting of Conn_Stop flag, i.e. in tfw_http_resp_process(). It seems we should leave setting the flag in ss_tcp_data_ready(), but still leave this code as well.
| *save_err_code = T_OK; | ||
| } | ||
| return r; | ||
| } |
There was a problem hiding this comment.
This function specific for fw/ code and has nothing with tls or db, so probably shouldn't be in lib
Should be merged only after #2272