From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 357B25A0272
	for <passt-dev@passt.top>; Fri,  4 Nov 2022 09:43:45 +0100 (CET)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4N3Z0W3C3kz4xx7; Fri,  4 Nov 2022 19:43:39 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1667551419;
	bh=6kYjlFqhQBCKGWNayKxrg6uOac1NHEoJB3GCCMudjPM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=M1KNzT++23aoyItZOmt25BW5LLWoCg1sNz4S/Q6zj7lytouqjblmItJxmwrewVJ0H
	 ULiVcvSVeWil7htfpEbiSD3mmRy2Yg+SH1E46JhamE7Lza12kd3vGBsGR8cJC6DO9T
	 oxCXaTndd9ku83TEzfZKjHhn/wnfAGjXrzaOKeHE=
From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top,
	Stefano Brivio <sbrivio@redhat.com>
Subject: [PATCH 10/10] tcp: Fix small error in tcp_seq_init() time handling
Date: Fri,  4 Nov 2022 19:43:33 +1100
Message-Id: <20221104084333.3761760-11-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221104084333.3761760-1-david@gibson.dropbear.id.au>
References: <20221104084333.3761760-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 2YGZ35E2X4QXSUEFQW2IOJSBWH44RZF7
X-Message-ID-Hash: 2YGZ35E2X4QXSUEFQW2IOJSBWH44RZF7
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <>
Archived-At: <https://archives.passt.top/passt-dev/20221104084333.3761760-11-david@gibson.dropbear.id.au/>
List-Archive: <>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

It looks like tcp_seq_init() is supposed to advance the sequence number
by one every 32ns.  However we only right shift the ns part of the timespec
not the seconds part, meaning that we'll advance by an extra 32 steps on
each second.

I don't know if that's exploitable in any way, but it doesn't appear to be
the intent, nor what RFC 6528 suggests.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 tcp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tcp.c b/tcp.c
index 59e03ff..941fafb 100644
--- a/tcp.c
+++ b/tcp.c
@@ -2027,8 +2027,8 @@ static void tcp_seq_init(const struct ctx *c, struct tcp_conn *conn,
 
 	seq = siphash_36b((uint8_t *)&in, c->tcp.hash_secret);
 
-	ns = now->tv_sec * 1E9;
-	ns += now->tv_nsec >> 5; /* 32ns ticks, overflows 32 bits every 137s */
+	/* 32ns ticks, overflows 32 bits every 137s */
+	ns = (now->tv_sec * 1E9 + now->tv_nsec) >> 5;
 
 	conn->seq_to_tap = seq + ns;
 }
-- 
2.38.1