diff options
| author |   Fernando Fernandez Mancera <ffmancera@riseup.net> | 2019-01-21 12:53:21 +0100 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2019-01-28 11:09:11 +0100 |
| commit | 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b (patch) | |
| tree | d48e9ca85e9b8ace9d319bfe68c1a2c2dfef9f60 /net/ipv4 | |
| parent | netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present (diff) | |
| download | linux-dev-1a6a0951fc009f6d9fe8ebea2d2417d80d54097b.tar.xz linux-dev-1a6a0951fc009f6d9fe8ebea2d2417d80d54097b.zip | |
netfilter: nfnetlink_osf: add missing fmatch check
When we check the tcp options of a packet and it doesn't match the current
fingerprint, the tcp packet option pointer must be restored to its initial
value in order to do the proper tcp options check for the next fingerprint.
Here we can see an example.
Assumming the following fingerprint base with two lines:
S10:64:1:60:M*,S,T,N,W6: Linux:3.0::Linux 3.0
S20:64:1:60:M*,S,T,N,W7: Linux:4.19:arch:Linux 4.1
Where TCP options are the last field in the OS signature, all of them overlap
except by the last one, ie. 'W6' versus 'W7'.
In case a packet for Linux 4.19 kicks in, the osf finds no matching because the
TCP options pointer is updated after checking for the TCP options in the first
line.
Therefore, reset pointer back to where it should be.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
0 files changed, 0 insertions, 0 deletions