aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/syncookies.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv4/syncookies.c')
-rw-r--r--net/ipv4/syncookies.c40
1 files changed, 20 insertions, 20 deletions
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 33016cc90f0b..2da1be0589a9 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -125,10 +125,11 @@ static __u16 const msstab[] = {
125__u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) 125__u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
126{ 126{
127 struct tcp_sock *tp = tcp_sk(sk); 127 struct tcp_sock *tp = tcp_sk(sk);
128 const struct iphdr *iph = ip_hdr(skb);
129 const struct tcphdr *th = tcp_hdr(skb);
128 int mssind; 130 int mssind;
129 const __u16 mss = *mssp; 131 const __u16 mss = *mssp;
130 132
131
132 tp->last_synq_overflow = jiffies; 133 tp->last_synq_overflow = jiffies;
133 134
134 /* XXX sort msstab[] by probability? Binary search? */ 135 /* XXX sort msstab[] by probability? Binary search? */
@@ -138,9 +139,8 @@ __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
138 139
139 NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESSENT); 140 NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESSENT);
140 141
141 return secure_tcp_syn_cookie(skb->nh.iph->saddr, skb->nh.iph->daddr, 142 return secure_tcp_syn_cookie(iph->saddr, iph->daddr,
142 skb->h.th->source, skb->h.th->dest, 143 th->source, th->dest, ntohl(th->seq),
143 ntohl(skb->h.th->seq),
144 jiffies / (HZ * 60), mssind); 144 jiffies / (HZ * 60), mssind);
145} 145}
146 146
@@ -157,14 +157,13 @@ __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
157 */ 157 */
158static inline int cookie_check(struct sk_buff *skb, __u32 cookie) 158static inline int cookie_check(struct sk_buff *skb, __u32 cookie)
159{ 159{
160 __u32 seq; 160 const struct iphdr *iph = ip_hdr(skb);
161 __u32 mssind; 161 const struct tcphdr *th = tcp_hdr(skb);
162 162 __u32 seq = ntohl(th->seq) - 1;
163 seq = ntohl(skb->h.th->seq)-1; 163 __u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr,
164 mssind = check_tcp_syn_cookie(cookie, 164 th->source, th->dest, seq,
165 skb->nh.iph->saddr, skb->nh.iph->daddr, 165 jiffies / (HZ * 60),
166 skb->h.th->source, skb->h.th->dest, 166 COUNTER_TRIES);
167 seq, jiffies / (HZ * 60), COUNTER_TRIES);
168 167
169 return mssind < NUM_MSS ? msstab[mssind] + 1 : 0; 168 return mssind < NUM_MSS ? msstab[mssind] + 1 : 0;
170} 169}
@@ -191,14 +190,15 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
191 struct inet_request_sock *ireq; 190 struct inet_request_sock *ireq;
192 struct tcp_request_sock *treq; 191 struct tcp_request_sock *treq;
193 struct tcp_sock *tp = tcp_sk(sk); 192 struct tcp_sock *tp = tcp_sk(sk);
194 __u32 cookie = ntohl(skb->h.th->ack_seq) - 1; 193 const struct tcphdr *th = tcp_hdr(skb);
194 __u32 cookie = ntohl(th->ack_seq) - 1;
195 struct sock *ret = sk; 195 struct sock *ret = sk;
196 struct request_sock *req; 196 struct request_sock *req;
197 int mss; 197 int mss;
198 struct rtable *rt; 198 struct rtable *rt;
199 __u8 rcv_wscale; 199 __u8 rcv_wscale;
200 200
201 if (!sysctl_tcp_syncookies || !skb->h.th->ack) 201 if (!sysctl_tcp_syncookies || !th->ack)
202 goto out; 202 goto out;
203 203
204 if (time_after(jiffies, tp->last_synq_overflow + TCP_TIMEOUT_INIT) || 204 if (time_after(jiffies, tp->last_synq_overflow + TCP_TIMEOUT_INIT) ||
@@ -220,12 +220,12 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
220 } 220 }
221 ireq = inet_rsk(req); 221 ireq = inet_rsk(req);
222 treq = tcp_rsk(req); 222 treq = tcp_rsk(req);
223 treq->rcv_isn = ntohl(skb->h.th->seq) - 1; 223 treq->rcv_isn = ntohl(th->seq) - 1;
224 treq->snt_isn = cookie; 224 treq->snt_isn = cookie;
225 req->mss = mss; 225 req->mss = mss;
226 ireq->rmt_port = skb->h.th->source; 226 ireq->rmt_port = th->source;
227 ireq->loc_addr = skb->nh.iph->daddr; 227 ireq->loc_addr = ip_hdr(skb)->daddr;
228 ireq->rmt_addr = skb->nh.iph->saddr; 228 ireq->rmt_addr = ip_hdr(skb)->saddr;
229 ireq->opt = NULL; 229 ireq->opt = NULL;
230 230
231 /* We throwed the options of the initial SYN away, so we hope 231 /* We throwed the options of the initial SYN away, so we hope
@@ -261,8 +261,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
261 .tos = RT_CONN_FLAGS(sk) } }, 261 .tos = RT_CONN_FLAGS(sk) } },
262 .proto = IPPROTO_TCP, 262 .proto = IPPROTO_TCP,
263 .uli_u = { .ports = 263 .uli_u = { .ports =
264 { .sport = skb->h.th->dest, 264 { .sport = th->dest,
265 .dport = skb->h.th->source } } }; 265 .dport = th->source } } };
266 security_req_classify_flow(req, &fl); 266 security_req_classify_flow(req, &fl);
267 if (ip_route_output_key(&rt, &fl)) { 267 if (ip_route_output_key(&rt, &fl)) {
268 reqsk_free(req); 268 reqsk_free(req);