]> git.baikalelectronics.ru Git - kernel.git/commit
netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook
authorLin Zhang <xiaolou4617@gmail.com>
Thu, 5 Oct 2017 16:44:03 +0000 (00:44 +0800)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 9 Oct 2017 11:08:39 +0000 (13:08 +0200)
commit49f817d793d1bcc11d721881aac037b996feef5c
treef1525ecf75e8f4e4d7c9ffca73f2b097cb4c424a
parente466af75c074e76107ae1cd5a2823e9c61894ffb
netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook

In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but
the real server maybe reply an icmp error packet related to the exist
tcp conntrack, so we will access wrong tcp data.

Fix it by checking for the protocol field and only process tcp traffic.

Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/ipv4/netfilter/ipt_SYNPROXY.c
net/ipv6/netfilter/ip6t_SYNPROXY.c