leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bfcaa50270
linux/net/netfilter
History
Jozsef Kadlecsik bfcaa50270 netfilter: nf_ct_tcp: fix accepting invalid RST segments 
Robert L Mathews discovered that some clients send evil TCP RST segments,
which are accepted by netfilter conntrack but discarded by the
destination. Thus the conntrack entry is destroyed but the destination
retransmits data until timeout.

The same technique, i.e. sending properly crafted RST segments, can easily
be used to bypass connlimit/connbytes based restrictions (the sample
script written by Robert can be found in the netfilter mailing list
archives).

The patch below adds a new flag and new field to struct ip_ct_tcp_state so
that checking RST segments can be made more strict and thus TCP conntrack
can catch the invalid ones: the RST segment is accepted only if its
sequence number higher than or equal to the highest ack we seen from the
other direction. (The last_ack field cannot be reused because it is used
to catch resent packets.)

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-05-25 17:23:15 +02:00
..
ipvs net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
core.c netfilter: remove unneeded goto 2009-02-18 16:29:08 +01:00
Kconfig netfilter: Kconfig: TProxy doesn't depend on NF_CONNTRACK 2009-04-24 16:55:25 +02:00
Makefile netfilter: xtables: add cluster match 2009-03-16 17:10:36 +01:00
nf_conntrack_acct.c net: '&' redux 2008-11-03 18:21:05 -08:00
nf_conntrack_amanda.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_core.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-26 22:45:23 -07:00
nf_conntrack_ecache.c netfilter: ctnetlink: deliver events for conntracks changed from userspace 2008-11-18 11:56:20 +01:00
nf_conntrack_expect.c netfilter: ctnetlink: fix regression in expectation handling 2009-04-06 17:47:20 +02:00
nf_conntrack_extend.c
nf_conntrack_ftp.c netfilter: fix warning in net/netfilter/nf_conntrack_ftp.c 2008-11-25 18:23:03 +01:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: nf_conntrack: fix crash when unloading helpers 2009-04-15 12:45:08 +02:00
nf_conntrack_irc.c netfilter: fix endian bug in conntrack printks 2009-03-28 23:55:57 -07:00
nf_conntrack_l3proto_generic.c
nf_conntrack_netbios_ns.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_netlink.c netfilter: ctnetlink: fix wrong message type in user updates 2009-05-05 17:48:26 +02:00
nf_conntrack_pptp.c Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-03-26 15:23:24 -07:00
nf_conntrack_proto_dccp.c netfilter: nf_ct_dccp: add missing role attributes for DCCP 2009-04-24 16:58:41 +02:00
nf_conntrack_proto_generic.c netfilter: change generic l4 protocol number 2009-02-18 16:28:35 +01:00
nf_conntrack_proto_gre.c netfilter: nf_conntrack: calculate per-protocol nlattr size 2009-03-25 21:53:39 +01:00
nf_conntrack_proto_sctp.c netfilter: nf_conntrack: calculate per-protocol nlattr size 2009-03-25 21:53:39 +01:00
nf_conntrack_proto_tcp.c netfilter: nf_ct_tcp: fix accepting invalid RST segments 2009-05-25 17:23:15 +02:00
nf_conntrack_proto_udp.c netfilter: nf_conntrack: calculate per-protocol nlattr size 2009-03-25 21:53:39 +01:00
nf_conntrack_proto_udplite.c netfilter: nf_ct_dccp/udplite: fix protocol registration error 2009-04-24 15:37:44 +02:00
nf_conntrack_proto.c netfilter: ctnetlink: add callbacks to the per-proto nlattrs 2009-03-25 18:24:48 +01:00
nf_conntrack_sane.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_conntrack_sip.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_conntrack_standalone.c netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() 2009-03-25 21:05:46 +01:00
nf_conntrack_tftp.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_internals.h
nf_log.c netfilter: nf_log regression fix 2009-04-15 12:16:19 +02:00
nf_queue.c
nf_sockopt.c
nf_tproxy_core.c net: Partially allow skb destructors to be used on receive path 2009-02-04 16:55:27 -08:00
nfnetlink_log.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-24 13:24:36 -07:00
nfnetlink_queue.c
nfnetlink.c netfilter: nfnetlink: return ENOMEM if we fail to create netlink socket 2009-04-17 17:48:44 +02:00
x_tables.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-24 13:24:36 -07:00
xt_CLASSIFY.c
xt_cluster.c netfilter: xt_cluster: fix use of cluster match with 32 nodes 2009-05-05 17:46:07 +02:00
xt_comment.c
xt_connbytes.c
xt_connlimit.c netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() 2009-03-25 21:05:46 +01:00
xt_connmark.c
xt_CONNMARK.c
xt_CONNSECMARK.c
xt_conntrack.c
xt_dccp.c nf/dccp: merge errorpaths 2008-12-14 23:19:02 -08:00
xt_dscp.c
xt_DSCP.c
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit fix 2009-02-24 15:30:29 +01:00
xt_helper.c
xt_hl.c netfilter: Combine ipt_ttl and ip6t_hl source 2009-02-18 18:39:31 +01:00
xt_HL.c netfilter: Combine ipt_TTL and ip6t_HL source 2009-02-18 18:38:40 +01:00
xt_iprange.c
xt_LED.c netfilter: x_tables: add LED trigger target 2009-02-20 10:55:14 +01:00
xt_length.c
xt_limit.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_mac.c
xt_mark.c
xt_MARK.c
xt_multiport.c
xt_NFLOG.c netfilter: xt_NFLOG: don't call nf_log_packet in NFLOG module. 2008-11-04 14:21:08 +01:00
xt_NFQUEUE.c
xt_NOTRACK.c
xt_owner.c CRED: Use creds in file structs 2008-11-14 10:39:25 +11:00
xt_physdev.c netfilter: factorize ifname_compare() 2009-03-25 17:31:52 +01:00
xt_pkttype.c
xt_policy.c
xt_quota.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_rateest.c
xt_RATEEST.c
xt_realm.c
xt_recent.c netfilter: xt_recent: fix stack overread in compat code 2009-04-24 17:05:21 +02:00
xt_sctp.c netfilter: xt_sctp: sctp chunk mapping doesn't work 2009-02-09 14:34:56 -08:00
xt_SECMARK.c
xt_socket.c tproxy: fixe a possible read from an invalid location in the socket match 2008-12-07 23:53:46 -08:00
xt_state.c
xt_statistic.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_time.c netfilter 08/09: xt_time: print timezone for user information 2009-01-12 21:18:36 -08:00
xt_TPROXY.c
xt_TRACE.c
xt_u32.c