netfilter: Validate the sequence number of dataless ACK packets as well

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We spare nothing by not validating the sequence number of dataless
ACK packets and enabling it makes harder off-path attacks.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Jozsef Kadlecsik and committed by

Pablo Neira Ayuso 13 years ago 4a70bbfa 64f509ce

+2 -8

1 changed file

expand all

net

netfilter

nf_conntrack_proto_tcp.c

+2 -8

net/netfilter/nf_conntrack_proto_tcp.c

··· 630 630 ack = sack = receiver->td_end; 631 631 } 632 632 633 - if (seq == end 634 - && (!tcph->rst 635 - || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT))) 633 + if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT) 636 634 /* 637 - * Packets contains no data: we assume it is valid 638 - * and check the ack value only. 639 - * However RST segments are always validated by their 640 - * SEQ number, except when seq == 0 (reset sent answering 641 - * SYN. 635 + * RST sent answering SYN. 642 636 */ 643 637 seq = end = sender->td_end; 644 638