tcp: verify the checksum of the first data segment in a new connection

commit 079096f ("tcp/dccp: install syn_recv requests into ehash
table") introduced an optimization for the handling of child sockets
created for a new TCP connection.

But this optimization passes any data associated with the last ACK of the
connection handshake up the stack without verifying its checksum, because it
calls tcp_child_process(), which in turn calls tcp_rcv_state_process()
directly.  These lower-level processing functions do not do any checksum
verification.

Insert a tcp_checksum_complete call in the TCP_NEW_SYN_RECEIVE path to
fix this.

Fixes: 079096f ("tcp/dccp: install syn_recv requests into ehash table")
Signed-off-by: Frank van der Linden <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Tested-by: Balbir Singh <[email protected]>
Reviewed-by: Balbir Singh <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

Author: fllinden

net/ipv4/tcp_ipv4.c

@@ -1730,6 +1730,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
 			reqsk_put(req);
 			goto discard_it;
 		}
+		if (tcp_checksum_complete(skb)) {
+			reqsk_put(req);
+			goto csum_error;
+		}
 		if (unlikely(sk->sk_state != TCP_LISTEN)) {
 			inet_csk_reqsk_queue_drop_and_put(sk, req);
 			goto lookup;

net/ipv6/tcp_ipv6.c

@@ -1479,6 +1479,10 @@ static int tcp_v6_rcv(struct sk_buff *skb)
 			reqsk_put(req);
 			goto discard_it;
 		}
+		if (tcp_checksum_complete(skb)) {
+			reqsk_put(req);
+			goto csum_error;
+		}
 		if (unlikely(sk->sk_state != TCP_LISTEN)) {
 			inet_csk_reqsk_queue_drop_and_put(sk, req);
 			goto lookup;