diff options
author | stephen hemminger <shemminger@vyatta.com> | 2010-03-18 07:27:32 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-03-20 00:00:42 -0400 |
commit | 97e3ecd112ba45eb217cddab59f48659bc15d9d0 (patch) | |
tree | 2e50eb442323387fd998e99ec560f58f1cdaf54e | |
parent | 10414444cb8a8ee8893e00390b7cf40502e28352 (diff) |
TCP: check min TTL on received ICMP packets
This adds RFC5082 checks for TTL on received ICMP packets.
It adds some security against spoofed ICMP packets
disrupting GTSM protected sessions.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/tcp_ipv4.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 70df40980a87..f4df5f931f36 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c | |||
@@ -370,6 +370,11 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info) | |||
370 | if (sk->sk_state == TCP_CLOSE) | 370 | if (sk->sk_state == TCP_CLOSE) |
371 | goto out; | 371 | goto out; |
372 | 372 | ||
373 | if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) { | ||
374 | NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); | ||
375 | goto out; | ||
376 | } | ||
377 | |||
373 | icsk = inet_csk(sk); | 378 | icsk = inet_csk(sk); |
374 | tp = tcp_sk(sk); | 379 | tp = tcp_sk(sk); |
375 | seq = ntohl(th->seq); | 380 | seq = ntohl(th->seq); |