summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2012-08-31 11:55:54 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2012-09-09 22:13:49 +0200
commit4a70bbfaef0361d27272629d1a250a937edcafe4 (patch)
tree8389e2f3b55cfcec5770a9fd83b9a52c31e4128b /net
parentnetfilter: Mark SYN/ACK packets as invalid from original direction (diff)
downloadlinux-4a70bbfaef0361d27272629d1a250a937edcafe4.tar.xz
linux-4a70bbfaef0361d27272629d1a250a937edcafe4.zip
netfilter: Validate the sequence number of dataless ACK packets as well
We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c10
1 files changed, 2 insertions, 8 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index aba98f942979..e046b3756aab 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -630,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
ack = sack = receiver->td_end;
}
- if (seq == end
- && (!tcph->rst
- || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
+ if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
/*
- * Packets contains no data: we assume it is valid
- * and check the ack value only.
- * However RST segments are always validated by their
- * SEQ number, except when seq == 0 (reset sent answering
- * SYN.
+ * RST sent answering SYN.
*/
seq = end = sender->td_end;