hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

netfilter: Validate the sequence number of dataless ACK packets as well 

We spare nothing by not validating the sequence number of dataless
ACK packets and enabling it makes harder off-path attacks.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Jozsef Kadlecsik 2012-08-31 09:55:54 +00:00 committed by Pablo Neira Ayuso
parent 64f509ce71
commit 4a70bbfaef
1 changed files with 2 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
net/netfilter/nf_conntrack_proto_tcp.c
View File

@ -630,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
ack = sack = receiver->td_end; ack = sack = receiver->td_end;
} }
if (seq == end if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
&& (!tcph->rst
|| (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
/* /*
* Packets contains no data: we assume it is valid * RST sent answering SYN.
* and check the ack value only.
* However RST segments are always validated by their
* SEQ number, except when seq == 0 (reset sent answering
* SYN.
*/ */
seq = end = sender->td_end; seq = end = sender->td_end;