From patchwork Fri Nov 16 14:00:13 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 199616 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id BC7FC2C0091 for ; Sat, 17 Nov 2012 01:00:57 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752062Ab2KPOAy (ORCPT ); Fri, 16 Nov 2012 09:00:54 -0500 Received: from mail.us.es ([193.147.175.20]:36213 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751992Ab2KPOAc (ORCPT ); Fri, 16 Nov 2012 09:00:32 -0500 Received: (qmail 15741 invoked from network); 16 Nov 2012 15:00:31 +0100 Received: from unknown (HELO us.es) (192.168.2.11) by us.es with SMTP; 16 Nov 2012 15:00:31 +0100 Received: (qmail 3592 invoked by uid 507); 16 Nov 2012 14:00:31 -0000 X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus1 (envelope-from , uid 501) with qmail-scanner-2.10 (clamdscan: 0.97.6/15583. spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-99.2/7.5):. Processed in 5.195036 secs); 16 Nov 2012 14:00:31 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus1 X-Spam-Level: X-Spam-Status: No, score=-99.2 required=7.5 tests=BAYES_50, USER_IN_WHITELIST autolearn=disabled version=3.3.2 X-Envelope-From: pablo@netfilter.org Received: from unknown (HELO antivirus1) (127.0.0.1) by us.es with SMTP; 16 Nov 2012 14:00:25 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus1 (F-Secure/fsigk_smtp/407/antivirus1); Fri, 16 Nov 2012 15:00:25 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/407/antivirus1) Received: (qmail 24896 invoked from network); 16 Nov 2012 15:00:25 +0100 Received: from barqueta.lsi.us.es (HELO localhost.localdomain) (pneira@us.es@150.214.188.150) by us.es with SMTP; 16 Nov 2012 15:00:25 +0100 From: pablo@netfilter.org To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, stable@vger.kernel.org Subject: [PATCH 2/3] [-stable] netfilter: Validate the sequence number of dataless ACK packets as well Date: Fri, 16 Nov 2012 15:00:13 +0100 Message-Id: <1353074415-21379-3-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1353074415-21379-1-git-send-email-pablo@netfilter.org> References: <1353074415-21379-1-git-send-email-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Jozsef Kadlecsik We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_proto_tcp.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 1eb458c..a9d5f50 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -625,15 +625,9 @@ static bool tcp_in_window(const struct nf_conn *ct, ack = sack = receiver->td_end; } - if (seq == end - && (!tcph->rst - || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT))) + if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT) /* - * Packets contains no data: we assume it is valid - * and check the ack value only. - * However RST segments are always validated by their - * SEQ number, except when seq == 0 (reset sent answering - * SYN. + * RST sent answering SYN. */ seq = end = sender->td_end;