net/tcp: Don't add key with non-matching VRF on connected sockets

If the connection was established, don't allow adding TCP-AO keys that
don't match the peer. Currently, there are checks for ip-address
matching, but L3 index check is missing. Add it to restrict userspace
shooting itself somewhere.

Yet, nothing restricts the CAP_NET_RAW user from trying to shoot
themselves by performing setsockopt(SO_BINDTODEVICE) or
setsockopt(SO_BINDTOIFINDEX) over an established TCP-AO connection.
So, this is just "minimum effort" to potentially save someone's
debugging time, rather than a full restriction on doing weird things.

Fixes: 248411b8cb89 ("net/tcp: Wire up l3index to TCP-AO")
Signed-off-by: Dmitry Safonov <dima@arista.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index c8be1d526eac1bcbc92b1eb06316949218441426..18dacfef7a07e8d25fc954c025b9de48f56cfa4e 100644 (file)
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -1608,6 +1608,15 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family,
                if (!dev || !l3index)
                        return -EINVAL;
 
+               if (!bound_dev_if || bound_dev_if != cmd.ifindex) {
+                       /* tcp_ao_established_key() doesn't expect having
+                        * non peer-matching key on an established TCP-AO
+                        * connection.
+                        */
+                       if (!((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)))
+                               return -EINVAL;
+               }
+
                /* It's still possible to bind after adding keys or even
                 * re-bind to a different dev (with CAP_NET_RAW).
                 * So, no reason to return error here, rather try to be