aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/tcp_input.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv4/tcp_input.c')
-rw-r--r--net/ipv4/tcp_input.c59
1 files changed, 36 insertions, 23 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 181fc8234a52..18f97ca76b00 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3552,6 +3552,24 @@ static bool tcp_process_frto(struct sock *sk, int flag)
3552 return false; 3552 return false;
3553} 3553}
3554 3554
3555/* RFC 5961 7 [ACK Throttling] */
3556static void tcp_send_challenge_ack(struct sock *sk)
3557{
3558 /* unprotected vars, we dont care of overwrites */
3559 static u32 challenge_timestamp;
3560 static unsigned int challenge_count;
3561 u32 now = jiffies / HZ;
3562
3563 if (now != challenge_timestamp) {
3564 challenge_timestamp = now;
3565 challenge_count = 0;
3566 }
3567 if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
3568 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
3569 tcp_send_ack(sk);
3570 }
3571}
3572
3555/* This routine deals with incoming acks, but not outgoing ones. */ 3573/* This routine deals with incoming acks, but not outgoing ones. */
3556static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) 3574static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
3557{ 3575{
@@ -3571,8 +3589,14 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
3571 /* If the ack is older than previous acks 3589 /* If the ack is older than previous acks
3572 * then we can probably ignore it. 3590 * then we can probably ignore it.
3573 */ 3591 */
3574 if (before(ack, prior_snd_una)) 3592 if (before(ack, prior_snd_una)) {
3593 /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
3594 if (before(ack, prior_snd_una - tp->max_window)) {
3595 tcp_send_challenge_ack(sk);
3596 return -1;
3597 }
3575 goto old_ack; 3598 goto old_ack;
3599 }
3576 3600
3577 /* If the ack includes data we haven't sent yet, discard 3601 /* If the ack includes data we haven't sent yet, discard
3578 * this segment (RFC793 Section 3.9). 3602 * this segment (RFC793 Section 3.9).
@@ -5244,23 +5268,6 @@ out:
5244} 5268}
5245#endif /* CONFIG_NET_DMA */ 5269#endif /* CONFIG_NET_DMA */
5246 5270
5247static void tcp_send_challenge_ack(struct sock *sk)
5248{
5249 /* unprotected vars, we dont care of overwrites */
5250 static u32 challenge_timestamp;
5251 static unsigned int challenge_count;
5252 u32 now = jiffies / HZ;
5253
5254 if (now != challenge_timestamp) {
5255 challenge_timestamp = now;
5256 challenge_count = 0;
5257 }
5258 if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
5259 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
5260 tcp_send_ack(sk);
5261 }
5262}
5263
5264/* Does PAWS and seqno based validation of an incoming segment, flags will 5271/* Does PAWS and seqno based validation of an incoming segment, flags will
5265 * play significant role here. 5272 * play significant role here.
5266 */ 5273 */
@@ -5536,6 +5543,9 @@ slow_path:
5536 if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb)) 5543 if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
5537 goto csum_error; 5544 goto csum_error;
5538 5545
5546 if (!th->ack && !th->rst)
5547 goto discard;
5548
5539 /* 5549 /*
5540 * Standard slow path. 5550 * Standard slow path.
5541 */ 5551 */
@@ -5544,7 +5554,7 @@ slow_path:
5544 return 0; 5554 return 0;
5545 5555
5546step5: 5556step5:
5547 if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) 5557 if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
5548 goto discard; 5558 goto discard;
5549 5559
5550 /* ts_recent update must be made after we are sure that the packet 5560 /* ts_recent update must be made after we are sure that the packet
@@ -5977,11 +5987,15 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
5977 if (tcp_check_req(sk, skb, req, NULL, true) == NULL) 5987 if (tcp_check_req(sk, skb, req, NULL, true) == NULL)
5978 goto discard; 5988 goto discard;
5979 } 5989 }
5990
5991 if (!th->ack && !th->rst)
5992 goto discard;
5993
5980 if (!tcp_validate_incoming(sk, skb, th, 0)) 5994 if (!tcp_validate_incoming(sk, skb, th, 0))
5981 return 0; 5995 return 0;
5982 5996
5983 /* step 5: check the ACK field */ 5997 /* step 5: check the ACK field */
5984 if (th->ack) { 5998 if (true) {
5985 int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0; 5999 int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
5986 6000
5987 switch (sk->sk_state) { 6001 switch (sk->sk_state) {
@@ -5992,7 +6006,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
5992 */ 6006 */
5993 if (req) { 6007 if (req) {
5994 tcp_synack_rtt_meas(sk, req); 6008 tcp_synack_rtt_meas(sk, req);
5995 tp->total_retrans = req->retrans; 6009 tp->total_retrans = req->num_retrans;
5996 6010
5997 reqsk_fastopen_remove(sk, req, false); 6011 reqsk_fastopen_remove(sk, req, false);
5998 } else { 6012 } else {
@@ -6131,8 +6145,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
6131 } 6145 }
6132 break; 6146 break;
6133 } 6147 }
6134 } else 6148 }
6135 goto discard;
6136 6149
6137 /* ts_recent update must be made after we are sure that the packet 6150 /* ts_recent update must be made after we are sure that the packet
6138 * is in window. 6151 * is in window.
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-01 16:03:29 -0400