From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 357B25A0272 for ; Fri, 4 Nov 2022 09:43:45 +0100 (CET) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4N3Z0W3C3kz4xx7; Fri, 4 Nov 2022 19:43:39 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1667551419; bh=6kYjlFqhQBCKGWNayKxrg6uOac1NHEoJB3GCCMudjPM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M1KNzT++23aoyItZOmt25BW5LLWoCg1sNz4S/Q6zj7lytouqjblmItJxmwrewVJ0H ULiVcvSVeWil7htfpEbiSD3mmRy2Yg+SH1E46JhamE7Lza12kd3vGBsGR8cJC6DO9T oxCXaTndd9ku83TEzfZKjHhn/wnfAGjXrzaOKeHE= From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH 10/10] tcp: Fix small error in tcp_seq_init() time handling Date: Fri, 4 Nov 2022 19:43:33 +1100 Message-Id: <20221104084333.3761760-11-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221104084333.3761760-1-david@gibson.dropbear.id.au> References: <20221104084333.3761760-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 2YGZ35E2X4QXSUEFQW2IOJSBWH44RZF7 X-Message-ID-Hash: 2YGZ35E2X4QXSUEFQW2IOJSBWH44RZF7 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: <> Archived-At: List-Archive: <> List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: It looks like tcp_seq_init() is supposed to advance the sequence number by one every 32ns. However we only right shift the ns part of the timespec not the seconds part, meaning that we'll advance by an extra 32 steps on each second. I don't know if that's exploitable in any way, but it doesn't appear to be the intent, nor what RFC 6528 suggests. Signed-off-by: David Gibson --- tcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tcp.c b/tcp.c index 59e03ff..941fafb 100644 --- a/tcp.c +++ b/tcp.c @@ -2027,8 +2027,8 @@ static void tcp_seq_init(const struct ctx *c, struct tcp_conn *conn, seq = siphash_36b((uint8_t *)&in, c->tcp.hash_secret); - ns = now->tv_sec * 1E9; - ns += now->tv_nsec >> 5; /* 32ns ticks, overflows 32 bits every 137s */ + /* 32ns ticks, overflows 32 bits every 137s */ + ns = (now->tv_sec * 1E9 + now->tv_nsec) >> 5; conn->seq_to_tap = seq + ns; } -- 2.38.1