summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorstephen hemminger <shemminger@vyatta.com>2010-03-18 11:27:32 +0000
committerDavid S. Miller <davem@davemloft.net>2010-03-19 21:00:42 -0700
commit97e3ecd112ba45eb217cddab59f48659bc15d9d0 (patch)
tree2e50eb442323387fd998e99ec560f58f1cdaf54e /net
parent10414444cb8a8ee8893e00390b7cf40502e28352 (diff)
downloadop-kernel-dev-97e3ecd112ba45eb217cddab59f48659bc15d9d0.zip
op-kernel-dev-97e3ecd112ba45eb217cddab59f48659bc15d9d0.tar.gz
TCP: check min TTL on received ICMP packets
This adds RFC5082 checks for TTL on received ICMP packets. It adds some security against spoofed ICMP packets disrupting GTSM protected sessions. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/tcp_ipv4.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 70df409..f4df5f9 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -370,6 +370,11 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
if (sk->sk_state == TCP_CLOSE)
goto out;
+ if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
+ NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
+ goto out;
+ }
+
icsk = inet_csk(sk);
tp = tcp_sk(sk);
seq = ntohl(th->seq);
OpenPOWER on IntegriCloud