summaryrefslogtreecommitdiffstats
path: root/sys/netinet
diff options
context:
space:
mode:
authorsilby <silby@FreeBSD.org>2005-01-03 07:08:37 +0000
committersilby <silby@FreeBSD.org>2005-01-03 07:08:37 +0000
commit632a7b8c5a6fd18f137313f482dce3da9df3784e (patch)
tree419e14ae72d5fffa5f95740c6c7bccbd0446ec6a /sys/netinet
parent44153c64335f21a8cdddb0cd9798644e6ca60883 (diff)
downloadFreeBSD-src-632a7b8c5a6fd18f137313f482dce3da9df3784e.zip
FreeBSD-src-632a7b8c5a6fd18f137313f482dce3da9df3784e.tar.gz
Add a sysctl (net.inet.tcp.insecure_rst) which allows one to specify
that the RFC 793 specification for accepting RST packets should be following. When followed, this makes one vulnerable to the attacks described in "slipping in the window", but it may be necessary in some odd circumstances.
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/tcp_input.c8
-rw-r--r--sys/netinet/tcp_reass.c8
2 files changed, 14 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 41fceac..13b4168 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -131,6 +131,11 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW,
&tcp_do_rfc3390, 0,
"Enable RFC 3390 (Increasing TCP's Initial Congestion Window)");
+static int tcp_insecure_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, insecure_rst, CTLFLAG_RW,
+ &tcp_insecure_rst, 0,
+ "Follow the old (insecure) criteria for accepting RST packets.");
+
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
"TCP Segment Reassembly Queue");
@@ -1528,7 +1533,8 @@ trimthenstep6:
goto close;
case TCPS_ESTABLISHED:
- if (tp->last_ack_sent != th->th_seq) {
+ if (tp->last_ack_sent != th->th_seq &&
+ tcp_insecure_rst == 0) {
tcpstat.tcps_badrst++;
goto drop;
}
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 41fceac..13b4168 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -131,6 +131,11 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW,
&tcp_do_rfc3390, 0,
"Enable RFC 3390 (Increasing TCP's Initial Congestion Window)");
+static int tcp_insecure_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, insecure_rst, CTLFLAG_RW,
+ &tcp_insecure_rst, 0,
+ "Follow the old (insecure) criteria for accepting RST packets.");
+
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
"TCP Segment Reassembly Queue");
@@ -1528,7 +1533,8 @@ trimthenstep6:
goto close;
case TCPS_ESTABLISHED:
- if (tp->last_ack_sent != th->th_seq) {
+ if (tp->last_ack_sent != th->th_seq &&
+ tcp_insecure_rst == 0) {
tcpstat.tcps_badrst++;
goto drop;
}
OpenPOWER on IntegriCloud