TCP MD5 signatures on sparc64 (big-endian) completely fail on current

kernel releases in interoperability with Cisco/Foundry or other

little-endian linux systems.
The root cause is a cast in the return statement of tcp_v4_md5_do_lookup,

where a tcp4_md5sig_key is casted onto tcp_md5sig_key without proper

conversion. On little-endian systems the upper 8 bits are cut of which

yields the expected behaviour. However, on big-endian systems (like

sparc64) only the most significant 8 bits are preserved. Since

TCP_MD5SIG_MAXKEYLEN is 80, this always yields 0.
In the calculation of the md5 signature afterwards the key is therefore

not appended to the tcp segment which could result in a security problem

since only the presence of a md5 signature is checked, and the key itself

doesn't matter.
--- linux.old/include/net/tcp.h 2007-09-28 21:43:26.000000000 +0200 +++

linux/include/net/tcp.h     2007-09-28 21:45:35.000000000 +0200 @@ -1055,6

+1055,7 @@ static inline void clear_all_retrans_hin

 struct crypto_hash;
 /* - key database */

+/* this should be compatible with the head of the following two structs */

 struct tcp_md5sig_key {

        u8                      *key;

        u8                      keylen;

@@ -1062,13 +1063,13 @@ struct tcp_md5sig_key {
 struct tcp4_md5sig_key {

        u8                      *key;

-       u16                     keylen;

+       u8                      keylen;

        __be32                  addr;

 };
 struct tcp6_md5sig_key {

        u8                      *key;

-       u16                     keylen;

+       u8                      keylen;

 #if 0

        u32                     scope_id;       /* XXX */

 #endif
Signed-off-by: Peter Lieven <pl@dlh.net>

Signed-off-by: Matthias M. Dellweg <2500@gmx.de>
-

From: "Peter Lieven" <pl@dlh.net>
I'll have to apply this patch by hand because your email client
Thanks again.

-

From: David Miller <davem@davemloft.net>
Actually, I think I'm going to put in a slightly different

fix.
If tcp4_md5sig_key and tcp6_md5sig_key have to begin with exacytly

tcp_md5sig_key's only two members, we should fully tell this

explicitly to the compiler and remove those ugly casts.
The casts are the real bug.
Here is the patch I will use after some testing:
diff --git a/include/net/tcp.h b/include/net/tcp.h

index 185c7ec..54053de 100644

--- a/include/net/tcp.h

+++ b/include/net/tcp.h

@@ -1059,14 +1059,12 @@ struct tcp_md5sig_key {

 };
 struct tcp4_md5sig_key {

-	u8			*key;

-	u16			keylen;

+	struct tcp_md5sig_key	base;

 	__be32			addr;

 };
 struct tcp6_md5sig_key {

-	u8			*key;

-	u16			keylen;

+	struct tcp_md5sig_key	base;

 #if 0

 	u32			scope_id;	/* XXX */

 #endif

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c

index 9c94627..e089a97 100644

--- a/net/ipv4/tcp_ipv4.c

+++ b/net/ipv4/tcp_ipv4.c

@@ -833,8 +833,7 @@ static struct tcp_md5sig_key *

 		return NULL;

 	for (i = 0; i < tp->md5sig_info->entries4; i++) {

 		if (tp->md5sig_info->keys4[i].addr == addr)

-			return (struct tcp_md5sig_key *)

-						&tp->md5sig_info->keys4[i];

+			return &tp->md5sig_info->keys4[i].base;

 	}

 	return NULL;

 }

@@ -865,9 +864,9 @@ int tcp_v4_md5_do_add(struct sock *sk, __be32 addr,

 	key = (struct tcp4_md5sig_key *)tcp_v4_md5_do_lookup(sk, addr);

 	if (key) {

 		/* Pre-existing entry - just update that one. */

-		kfree(key->key);

-		key->key = newkey;

-		key->keylen = newkeylen;

+		kfree(key->base.key);

+		key->base.key = newkey;

+		key->base.keylen = newkeylen;

 	} else {

 		struct tcp_md5sig_info *md5sig;
@@ -906,9 +905,9 @@ int tcp_v4_md5_do_add(struct sock *sk, __be32 addr,

 			md5sig->alloced4++;

 		}

 		md5sig->entries4++;

-		md5sig->keys4[md5sig->entries4 - 1].addr   = addr;

-		md5sig->keys4[md5sig->entries4 - 1].key    = newkey;

-		md5sig->keys4[md5sig->en...
[ message continues ]