diff options
Diffstat (limited to 'net/ipv4/syncookies.c')
-rw-r--r-- | net/ipv4/syncookies.c | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index 33016cc90f0b..2da1be0589a9 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c | |||
@@ -125,10 +125,11 @@ static __u16 const msstab[] = { | |||
125 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | 125 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) |
126 | { | 126 | { |
127 | struct tcp_sock *tp = tcp_sk(sk); | 127 | struct tcp_sock *tp = tcp_sk(sk); |
128 | const struct iphdr *iph = ip_hdr(skb); | ||
129 | const struct tcphdr *th = tcp_hdr(skb); | ||
128 | int mssind; | 130 | int mssind; |
129 | const __u16 mss = *mssp; | 131 | const __u16 mss = *mssp; |
130 | 132 | ||
131 | |||
132 | tp->last_synq_overflow = jiffies; | 133 | tp->last_synq_overflow = jiffies; |
133 | 134 | ||
134 | /* XXX sort msstab[] by probability? Binary search? */ | 135 | /* XXX sort msstab[] by probability? Binary search? */ |
@@ -138,9 +139,8 @@ __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | |||
138 | 139 | ||
139 | NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESSENT); | 140 | NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESSENT); |
140 | 141 | ||
141 | return secure_tcp_syn_cookie(skb->nh.iph->saddr, skb->nh.iph->daddr, | 142 | return secure_tcp_syn_cookie(iph->saddr, iph->daddr, |
142 | skb->h.th->source, skb->h.th->dest, | 143 | th->source, th->dest, ntohl(th->seq), |
143 | ntohl(skb->h.th->seq), | ||
144 | jiffies / (HZ * 60), mssind); | 144 | jiffies / (HZ * 60), mssind); |
145 | } | 145 | } |
146 | 146 | ||
@@ -157,14 +157,13 @@ __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | |||
157 | */ | 157 | */ |
158 | static inline int cookie_check(struct sk_buff *skb, __u32 cookie) | 158 | static inline int cookie_check(struct sk_buff *skb, __u32 cookie) |
159 | { | 159 | { |
160 | __u32 seq; | 160 | const struct iphdr *iph = ip_hdr(skb); |
161 | __u32 mssind; | 161 | const struct tcphdr *th = tcp_hdr(skb); |
162 | 162 | __u32 seq = ntohl(th->seq) - 1; | |
163 | seq = ntohl(skb->h.th->seq)-1; | 163 | __u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr, |
164 | mssind = check_tcp_syn_cookie(cookie, | 164 | th->source, th->dest, seq, |
165 | skb->nh.iph->saddr, skb->nh.iph->daddr, | 165 | jiffies / (HZ * 60), |
166 | skb->h.th->source, skb->h.th->dest, | 166 | COUNTER_TRIES); |
167 | seq, jiffies / (HZ * 60), COUNTER_TRIES); | ||
168 | 167 | ||
169 | return mssind < NUM_MSS ? msstab[mssind] + 1 : 0; | 168 | return mssind < NUM_MSS ? msstab[mssind] + 1 : 0; |
170 | } | 169 | } |
@@ -191,14 +190,15 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | |||
191 | struct inet_request_sock *ireq; | 190 | struct inet_request_sock *ireq; |
192 | struct tcp_request_sock *treq; | 191 | struct tcp_request_sock *treq; |
193 | struct tcp_sock *tp = tcp_sk(sk); | 192 | struct tcp_sock *tp = tcp_sk(sk); |
194 | __u32 cookie = ntohl(skb->h.th->ack_seq) - 1; | 193 | const struct tcphdr *th = tcp_hdr(skb); |
194 | __u32 cookie = ntohl(th->ack_seq) - 1; | ||
195 | struct sock *ret = sk; | 195 | struct sock *ret = sk; |
196 | struct request_sock *req; | 196 | struct request_sock *req; |
197 | int mss; | 197 | int mss; |
198 | struct rtable *rt; | 198 | struct rtable *rt; |
199 | __u8 rcv_wscale; | 199 | __u8 rcv_wscale; |
200 | 200 | ||
201 | if (!sysctl_tcp_syncookies || !skb->h.th->ack) | 201 | if (!sysctl_tcp_syncookies || !th->ack) |
202 | goto out; | 202 | goto out; |
203 | 203 | ||
204 | if (time_after(jiffies, tp->last_synq_overflow + TCP_TIMEOUT_INIT) || | 204 | if (time_after(jiffies, tp->last_synq_overflow + TCP_TIMEOUT_INIT) || |
@@ -220,12 +220,12 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | |||
220 | } | 220 | } |
221 | ireq = inet_rsk(req); | 221 | ireq = inet_rsk(req); |
222 | treq = tcp_rsk(req); | 222 | treq = tcp_rsk(req); |
223 | treq->rcv_isn = ntohl(skb->h.th->seq) - 1; | 223 | treq->rcv_isn = ntohl(th->seq) - 1; |
224 | treq->snt_isn = cookie; | 224 | treq->snt_isn = cookie; |
225 | req->mss = mss; | 225 | req->mss = mss; |
226 | ireq->rmt_port = skb->h.th->source; | 226 | ireq->rmt_port = th->source; |
227 | ireq->loc_addr = skb->nh.iph->daddr; | 227 | ireq->loc_addr = ip_hdr(skb)->daddr; |
228 | ireq->rmt_addr = skb->nh.iph->saddr; | 228 | ireq->rmt_addr = ip_hdr(skb)->saddr; |
229 | ireq->opt = NULL; | 229 | ireq->opt = NULL; |
230 | 230 | ||
231 | /* We throwed the options of the initial SYN away, so we hope | 231 | /* We throwed the options of the initial SYN away, so we hope |
@@ -261,8 +261,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | |||
261 | .tos = RT_CONN_FLAGS(sk) } }, | 261 | .tos = RT_CONN_FLAGS(sk) } }, |
262 | .proto = IPPROTO_TCP, | 262 | .proto = IPPROTO_TCP, |
263 | .uli_u = { .ports = | 263 | .uli_u = { .ports = |
264 | { .sport = skb->h.th->dest, | 264 | { .sport = th->dest, |
265 | .dport = skb->h.th->source } } }; | 265 | .dport = th->source } } }; |
266 | security_req_classify_flow(req, &fl); | 266 | security_req_classify_flow(req, &fl); |
267 | if (ip_route_output_key(&rt, &fl)) { | 267 | if (ip_route_output_key(&rt, &fl)) { |
268 | reqsk_free(req); | 268 | reqsk_free(req); |