netfilter: Validate the sequence number of dataless ACK packets as well

commit 4a70bbfaef0361d27272629d1a250a937edcafe4 upstream. We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2012-08-31 09:55:54 +0000
committer: Ben Hutchings <ben@decadent.org.uk> 2012-12-06 11:20:10 +0000
commit: 58fd4b237523afd2a925ccc664d35f0334da4ffd (patch)
tree: edd4adca28e8e1758a5d05356148440e2fb6bf34 /net/netfilter
parent: b5ce3e0d724f18d39ca996164baef3011ff3c409 (diff)
1 files changed, 2 insertions, 8 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 2458cc933b8..57ad4666b24 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -625,15 +625,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
 		ack = sack = receiver->td_end;
 	}
 
-	if (seq == end
-	    && (!tcph->rst
-		|| (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
+	if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
 		/*
-		 * Packets contains no data: we assume it is valid
-		 * and check the ack value only.
-		 * However RST segments are always validated by their
-		 * SEQ number, except when seq == 0 (reset sent answering
-		 * SYN.
+		 * RST sent answering SYN.
 		 */
 		seq = end = sender->td_end;
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2012-08-31 09:55:54 +0000
committer	Ben Hutchings <ben@decadent.org.uk>	2012-12-06 11:20:10 +0000
commit	58fd4b237523afd2a925ccc664d35f0334da4ffd (patch)
tree	edd4adca28e8e1758a5d05356148440e2fb6bf34 /net/netfilter
parent	b5ce3e0d724f18d39ca996164baef3011ff3c409 (diff)