diff options
author | Eric Dumazet <edumazet@google.com> | 2018-08-22 13:30:45 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-09-15 09:42:54 +0200 |
commit | e801b695c3e749ab02ff06274ec1cd06369342ca (patch) | |
tree | 03e628010edb23d4794799c719a166a6d267ba79 /scripts/checkincludes.pl | |
parent | 4fb15ff15b2c196b0e0a1df160181545c7b1d527 (diff) |
ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state
[ Upstream commit 431280eebed9f5079553daf003011097763e71fd ]
tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally
to send some control packets.
1) RST packets, through tcp_v4_send_reset()
2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack()
These packets assert IP_DF, and also use the hashed IP ident generator
to provide an IPv4 ID number.
Geoff Alexander reported this could be used to build off-path attacks.
These packets should not be fragmented, since their size is smaller than
IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment,
regardless of inner IPID.
We really can use zero IPID, to address the flaw, and as a bonus,
avoid a couple of atomic operations in ip_idents_reserve()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Geoff Alexander <alexandg@cs.unm.edu>
Tested-by: Geoff Alexander <alexandg@cs.unm.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'scripts/checkincludes.pl')
0 files changed, 0 insertions, 0 deletions