diff options
author | silby <silby@FreeBSD.org> | 2005-01-03 07:08:37 +0000 |
---|---|---|
committer | silby <silby@FreeBSD.org> | 2005-01-03 07:08:37 +0000 |
commit | 632a7b8c5a6fd18f137313f482dce3da9df3784e (patch) | |
tree | 419e14ae72d5fffa5f95740c6c7bccbd0446ec6a /sys/netinet | |
parent | 44153c64335f21a8cdddb0cd9798644e6ca60883 (diff) | |
download | FreeBSD-src-632a7b8c5a6fd18f137313f482dce3da9df3784e.zip FreeBSD-src-632a7b8c5a6fd18f137313f482dce3da9df3784e.tar.gz |
Add a sysctl (net.inet.tcp.insecure_rst) which allows one to specify
that the RFC 793 specification for accepting RST packets should be
following. When followed, this makes one vulnerable to the attacks
described in "slipping in the window", but it may be necessary in
some odd circumstances.
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/tcp_input.c | 8 | ||||
-rw-r--r-- | sys/netinet/tcp_reass.c | 8 |
2 files changed, 14 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 41fceac..13b4168 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -131,6 +131,11 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW, &tcp_do_rfc3390, 0, "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)"); +static int tcp_insecure_rst = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, insecure_rst, CTLFLAG_RW, + &tcp_insecure_rst, 0, + "Follow the old (insecure) criteria for accepting RST packets."); + SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0, "TCP Segment Reassembly Queue"); @@ -1528,7 +1533,8 @@ trimthenstep6: goto close; case TCPS_ESTABLISHED: - if (tp->last_ack_sent != th->th_seq) { + if (tp->last_ack_sent != th->th_seq && + tcp_insecure_rst == 0) { tcpstat.tcps_badrst++; goto drop; } diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 41fceac..13b4168 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -131,6 +131,11 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW, &tcp_do_rfc3390, 0, "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)"); +static int tcp_insecure_rst = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, insecure_rst, CTLFLAG_RW, + &tcp_insecure_rst, 0, + "Follow the old (insecure) criteria for accepting RST packets."); + SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0, "TCP Segment Reassembly Queue"); @@ -1528,7 +1533,8 @@ trimthenstep6: goto close; case TCPS_ESTABLISHED: - if (tp->last_ack_sent != th->th_seq) { + if (tp->last_ack_sent != th->th_seq && + tcp_insecure_rst == 0) { tcpstat.tcps_badrst++; goto drop; } |