git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Wed, 26 Dec 2012 12:44:34 +0000 (12:44 +0000)
committer	David S. Miller <davem@davemloft.net>
	Wed, 26 Dec 2012 23:08:55 +0000 (15:08 -0800)
commit	8cf17d984132ef4185e854a7a8818a6f759e681b
tree	ef786563e00bac6b58b96cc7f0ebbaf487982fa6	tree \| snapshot
parent	ddca6d63513e5a761eb502d4b19a8a0218d6f196	commit \| diff

tcp: should drop incoming frames without ACK flag set

In commit 9b12466b1e549 (tcp: Discard segments that ack data not yet
sent) John Dykstra enforced a check against ack sequences.

In commit a2e9ee9d0bec7 (tcp: RFC 5961 5.2 Blind Data Injection Attack
Mitigation) I added more safety tests.

But we missed fact that these tests are not performed if ACK bit is
not set.

RFC 793 3.9 mandates TCP should drop a frame without ACK flag set.

" fifth check the ACK field,
if the ACK bit is off drop the segment and return"

Not doing so permits an attacker to only guess an acceptable sequence
number, evading stronger checks.

Many thanks to Zhiyun Qian for bringing this issue to our attention.

See :
http://web.eecs.umich.edu/~zhiyunq/pub/ccs12_TCP_sequence_number_inference.pdf

Reported-by: Zhiyun Qian <zhiyunq@umich.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Nandita Dukkipati <nanditad@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: John Dykstra <john.dykstra1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>