diff options
| author |   Eric Dumazet <edumazet@google.com> | 2018-08-22 13:30:45 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2018-08-22 21:42:58 -0700 |
| commit | 431280eebed9f5079553daf003011097763e71fd (patch) | |
| tree | 13f7bee9436e2ab1ca9b6d2b14b8b7fe66da4f28 /net/ipv4/tcp_bbr.c | |
| parent | addrconf: reduce unnecessary atomic allocations (diff) | |
| download | linux-dev-431280eebed9f5079553daf003011097763e71fd.tar.xz linux-dev-431280eebed9f5079553daf003011097763e71fd.zip | |
ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state
tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally
to send some control packets.
1) RST packets, through tcp_v4_send_reset()
2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack()
These packets assert IP_DF, and also use the hashed IP ident generator
to provide an IPv4 ID number.
Geoff Alexander reported this could be used to build off-path attacks.
These packets should not be fragmented, since their size is smaller than
IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment,
regardless of inner IPID.
We really can use zero IPID, to address the flaw, and as a bonus,
avoid a couple of atomic operations in ip_idents_reserve()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Geoff Alexander <alexandg@cs.unm.edu>
Tested-by: Geoff Alexander <alexandg@cs.unm.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_bbr.c')
0 files changed, 0 insertions, 0 deletions