Skip to content

Commit

Permalink
Fix TOCTOU bug in sending packets with the experiment option header.
Browse files Browse the repository at this point in the history 
In cases where sendRaw runs concurrently with a setsocketopt that sets
the experiment option, it's possible to read a zero experiment option when
adjusting reserved header space and a non-zero experiment option when
sending the packet. This causes the sentry to panic when adding the IPv6
header.

PiperOrigin-RevId: 721831686
  • Loading branch information
@manninglucas @gvisor-bot
manninglucas authored and gvisor-bot committed Feb 5, 2025
1 parent 2207271 commit 431ee54
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions pkg/tcpip/transport/tcp/connect.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1028,7 +1028,8 @@ func (e *Endpoint) sendRaw(pkt *stack.PacketBuffer, flags header.TCPFlags, seq,
options := e.makeOptions(sackBlocks)
defer putOptions(options)
hdrSize := header.TCPMinimumSize + int(e.route.MaxHeaderLength()) + len(options)
if e.route.NetProto() == header.IPv6ProtocolNumber && e.getExperimentOptionValue(e.route) != 0 {
expOptVal := e.getExperimentOptionValue(e.route)
if e.route.NetProto() == header.IPv6ProtocolNumber && expOptVal != 0 {
hdrSize += header.IPv6ExperimentHdrLength
}
pkt.ReserveHeaderBytes(hdrSize)
Expand All @@ -1042,7 +1043,7 @@ func (e *Endpoint) sendRaw(pkt *stack.PacketBuffer, flags header.TCPFlags, seq,
rcvWnd: rcvWnd,
opts: options,
df: e.pmtud == tcpip.PMTUDiscoveryWant || e.pmtud == tcpip.PMTUDiscoveryDo,
expOptVal: e.getExperimentOptionValue(e.route),
expOptVal: expOptVal,
}, pkt, e.gso)
}

Expand Down

0 comments on commit 431ee54

Please sign in to comment.