netfilter: Validate the sequence number of dataless ACK packets as well

We spare nothing by not validating the sequence number of dataless ACK packets and enabling it makes harder off-path attacks. See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel, http://arxiv.org/abs/1201.2074 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2012-08-31 09:55:54 +0000
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-09 22:13:49 +0200
commit: 4a70bbfaef0361d27272629d1a250a937edcafe4 (patch)
tree: 8389e2f3b55cfcec5770a9fd83b9a52c31e4128b /net/netfilter/nf_conntrack_proto_tcp.c
parent: 64f509ce71b08d037998e93dd51180c19b2f464c (diff)
1 files changed, 2 insertions, 8 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index aba98f94297..e046b3756aa 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -630,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
 		ack = sack = receiver->td_end;
 	}
 
-	if (seq == end
-	    && (!tcph->rst
-		|| (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
+	if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
 		/*
-		 * Packets contains no data: we assume it is valid
-		 * and check the ack value only.
-		 * However RST segments are always validated by their
-		 * SEQ number, except when seq == 0 (reset sent answering
-		 * SYN.
+		 * RST sent answering SYN.
 		 */
 		seq = end = sender->td_end;
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2012-08-31 09:55:54 +0000
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-09-09 22:13:49 +0200
commit	4a70bbfaef0361d27272629d1a250a937edcafe4 (patch)
tree	8389e2f3b55cfcec5770a9fd83b9a52c31e4128b /net/netfilter/nf_conntrack_proto_tcp.c
parent	64f509ce71b08d037998e93dd51180c19b2f464c (diff)