diff options
author | stephen hemminger <shemminger@vyatta.com> | 2010-03-18 11:27:32 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-03-19 21:00:42 -0700 |
commit | 97e3ecd112ba45eb217cddab59f48659bc15d9d0 (patch) | |
tree | 2e50eb442323387fd998e99ec560f58f1cdaf54e /net | |
parent | 10414444cb8a8ee8893e00390b7cf40502e28352 (diff) | |
download | op-kernel-dev-97e3ecd112ba45eb217cddab59f48659bc15d9d0.zip op-kernel-dev-97e3ecd112ba45eb217cddab59f48659bc15d9d0.tar.gz |
TCP: check min TTL on received ICMP packets
This adds RFC5082 checks for TTL on received ICMP packets.
It adds some security against spoofed ICMP packets
disrupting GTSM protected sessions.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/tcp_ipv4.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 70df409..f4df5f9 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -370,6 +370,11 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info) if (sk->sk_state == TCP_CLOSE) goto out; + if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) { + NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); + goto out; + } + icsk = inet_csk(sk); tp = tcp_sk(sk); seq = ntohl(th->seq); |