netfilter: Validate the sequence number of dataless ACK packets as well
We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
64f509ce71
commit
4a70bbfaef
@ -630,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
|
||||
ack = sack = receiver->td_end;
|
||||
}
|
||||
|
||||
if (seq == end
|
||||
&& (!tcph->rst
|
||||
|| (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
|
||||
if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
|
||||
/*
|
||||
* Packets contains no data: we assume it is valid
|
||||
* and check the ack value only.
|
||||
* However RST segments are always validated by their
|
||||
* SEQ number, except when seq == 0 (reset sent answering
|
||||
* SYN.
|
||||
* RST sent answering SYN.
|
||||
*/
|
||||
seq = end = sender->td_end;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user