Message ID | 1356561874.20133.21098.camel@edumazet-glaptop |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Wed, 26 Dec 2012 14:44:34 -0800 > [PATCH v2] tcp: should drop incoming frames without ACK flag set > > In commit 96e0bf4b5193d (tcp: Discard segments that ack data not yet > sent) John Dykstra enforced a check against ack sequences. > > In commit 354e4aa391ed5 (tcp: RFC 5961 5.2 Blind Data Injection Attack > Mitigation) I added more safety tests. > > But we missed fact that these tests are not performed if ACK bit is > not set. > > RFC 793 3.9 mandates TCP should drop a frame without ACK flag set. > > " fifth check the ACK field, > if the ACK bit is off drop the segment and return" > > Not doing so permits an attacker to only guess an acceptable sequence > number, evading stronger checks. > > Many thanks to Zhiyun Qian for bringing this issue to our attention. > > See : > http://web.eecs.umich.edu/~zhiyunq/pub/ccs12_TCP_sequence_number_inference.pdf > > Reported-by: Zhiyun Qian <zhiyunq@umich.edu> > Signed-off-by: Eric Dumazet <edumazet@google.com> Applied, thanks Eric. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index a136925..a28e4db 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -5543,6 +5543,9 @@ slow_path: if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb)) goto csum_error; + if (!th->ack) + goto discard; + /* * Standard slow path. */ @@ -5551,7 +5554,7 @@ slow_path: return 0; step5: - if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) + if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) goto discard; /* ts_recent update must be made after we are sure that the packet @@ -5984,11 +5987,15 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, if (tcp_check_req(sk, skb, req, NULL, true) == NULL) goto discard; } + + if (!th->ack) + goto discard; + if (!tcp_validate_incoming(sk, skb, th, 0)) return 0; /* step 5: check the ACK field */ - if (th->ack) { + if (true) { int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0; switch (sk->sk_state) { @@ -6138,8 +6145,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, } break; } - } else - goto discard; + } /* ts_recent update must be made after we are sure that the packet * is in window.