tcp: rstreason: fully support in tcp_check_req()

We're going to send an RST due to invalid syn packet which is already
checked whether 1) it is in sequence, 2) it is a retransmitted skb.

As RFC 793 says, if the state of socket is not CLOSED/LISTEN/SYN-SENT,
then we should send an RST when receiving bad syn packet:
"fourth, check the SYN bit,...If the SYN is in the window it is an
error, send a reset"

Signed-off-by: Jason Xing <kernelxing@tencent.com>
Link: https://lore.kernel.org/r/20240510122502.27850-6-kerneljasonxing@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/include/net/rstreason.h b/include/net/rstreason.h
index 7ae5bb55559ba2472b3d0a6b846c6372947c0395..2575c85d7f7ab0168593d2e736a82f2001f394a4 100644 (file)
--- a/include/net/rstreason.h
+++ b/include/net/rstreason.h
@@ -16,6 +16,7 @@
        FN(TCP_OLD_ACK)                 \
        FN(TCP_ABORT_ON_DATA)           \
        FN(TCP_TIMEWAIT_SOCKET)         \
+       FN(INVALID_SYN)                 \
        FN(MPTCP_RST_EUNSPEC)           \
        FN(MPTCP_RST_EMPTCP)            \
        FN(MPTCP_RST_ERESOURCE)         \
@@ -76,6 +77,13 @@ enum sk_rst_reason {
        /* Here start with the independent reasons */
        /** @SK_RST_REASON_TCP_TIMEWAIT_SOCKET: happen on the timewait socket */
        SK_RST_REASON_TCP_TIMEWAIT_SOCKET,
+       /**
+        * @SK_RST_REASON_INVALID_SYN: receive bad syn packet
+        * RFC 793 says if the state is not CLOSED/LISTEN/SYN-SENT then
+        * "fourth, check the SYN bit,...If the SYN is in the window it is
+        * an error, send a reset"
+        */
+       SK_RST_REASON_INVALID_SYN,
 
        /* Copy from include/uapi/linux/mptcp.h.
         * These reset fields will not be changed since they adhere to

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 7d543569a1809909f5d9a17830de298cfb73205b..b93619b2384b3735ecb6e40238f8367d9afb7e15 100644 (file)
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -879,7 +879,7 @@ embryonic_reset:
                 * avoid becoming vulnerable to outside attack aiming at
                 * resetting legit local connections.
                 */
-               req->rsk_ops->send_reset(sk, skb, SK_RST_REASON_NOT_SPECIFIED);
+               req->rsk_ops->send_reset(sk, skb, SK_RST_REASON_INVALID_SYN);
        } else if (fastopen) { /* received a valid RST pkt */
                reqsk_fastopen_remove(sk, req, true);
                tcp_reset(sk, skb);