From patchwork Fri Aug 31 19:55:54 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jozsef Kadlecsik X-Patchwork-Id: 181050 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A0F5B2C0392 for ; Sat, 1 Sep 2012 05:55:59 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754786Ab2HaTz5 (ORCPT ); Fri, 31 Aug 2012 15:55:57 -0400 Received: from smtp-in.kfki.hu ([148.6.0.26]:33438 "EHLO smtp1.kfki.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754815Ab2HaTz4 (ORCPT ); Fri, 31 Aug 2012 15:55:56 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp1.kfki.hu (Postfix) with ESMTP id 1DE2F4D4007; Fri, 31 Aug 2012 21:55:55 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at smtp1.kfki.hu Received: from smtp1.kfki.hu ([127.0.0.1]) by localhost (smtp1.kfki.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMgPnVOT-Hms; Fri, 31 Aug 2012 21:55:55 +0200 (CEST) Received: from blackhole.kfki.hu (blackhole.kfki.hu [148.6.0.114]) by smtp1.kfki.hu (Postfix) with ESMTP id CAF2C4D4005; Fri, 31 Aug 2012 21:55:54 +0200 (CEST) Received: by blackhole.kfki.hu (Postfix, from userid 1000) id 85907208283; Fri, 31 Aug 2012 21:55:54 +0200 (CEST) From: Jozsef Kadlecsik To: netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso , Jan Wrobel , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: Validate the sequence number of dataless ACK packets as well Date: Fri, 31 Aug 2012 21:55:54 +0200 Message-Id: <1346442954-29047-3-git-send-email-kadlec@blackhole.kfki.hu> X-Mailer: git-send-email 1.7.0.4 In-Reply-To: <1346442954-29047-1-git-send-email-kadlec@blackhole.kfki.hu> References: <1346442954-29047-1-git-send-email-kadlec@blackhole.kfki.hu> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik --- net/netfilter/nf_conntrack_proto_tcp.c | 10 ++-------- 1 files changed, 2 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index aba98f9..e046b37 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -630,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct, ack = sack = receiver->td_end; } - if (seq == end - && (!tcph->rst - || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT))) + if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT) /* - * Packets contains no data: we assume it is valid - * and check the ack value only. - * However RST segments are always validated by their - * SEQ number, except when seq == 0 (reset sent answering - * SYN. + * RST sent answering SYN. */ seq = end = sender->td_end;