1 files changed, 18 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index b5ccf2b4b2e7..97a6e93d742e 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
                        sender->td_end = end;
                        sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
                }
+                if (tcph->ack) {
+                        if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
+                                sender->td_maxack = ack;
+                                sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
+                        } else if (after(ack, sender->td_maxack))
+                                sender->td_maxack = ack;
+                }
                /*
                 * Update receiver data.
                 */
@@ -919,6 +927,16 @@ static int tcp_packet(struct nf_conn *ct,
                return -NF_ACCEPT;
        case TCP_CONNTRACK_CLOSE:
                if (index == TCP_RST_SET
+                    && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
+                    && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
+                        /* Invalid RST  */
+                        write_unlock_bh(&tcp_lock);
+                        if (LOG_INVALID(net, IPPROTO_TCP))
+                                nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+                                          "nf_ct_tcp: invalid RST ");
+                        return -NF_ACCEPT;
+                }
+                if (index == TCP_RST_SET
                    && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
                         && ct->proto.tcp.last_index == TCP_SYN_SET)
                        || (!test_bit(IPS_ASSURED_BIT, &ct->status)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index b5ccf2b4b2e7..97a6e93d742e 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
634	sender->td_end = end;	634	sender->td_end = end;
635	sender->flags \|= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;	635	sender->flags \|= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
636	}	636	}
		637	if (tcph->ack) {
		638	if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
		639	sender->td_maxack = ack;
		640	sender->flags \|= IP_CT_TCP_FLAG_MAXACK_SET;
		641	} else if (after(ack, sender->td_maxack))
		642	sender->td_maxack = ack;
		643	}
		644
637	/*	645	/*
638	* Update receiver data.	646	* Update receiver data.
639	*/	647	*/
@@ -919,6 +927,16 @@ static int tcp_packet(struct nf_conn *ct,
919	return -NF_ACCEPT;	927	return -NF_ACCEPT;
920	case TCP_CONNTRACK_CLOSE:	928	case TCP_CONNTRACK_CLOSE:
921	if (index == TCP_RST_SET	929	if (index == TCP_RST_SET
		930	&& (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
		931	&& before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
		932	/* Invalid RST */
		933	write_unlock_bh(&tcp_lock);
		934	if (LOG_INVALID(net, IPPROTO_TCP))
		935	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
		936	"nf_ct_tcp: invalid RST ");
		937	return -NF_ACCEPT;
		938	}
		939	if (index == TCP_RST_SET
922	&& ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)	940	&& ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
923	&& ct->proto.tcp.last_index == TCP_SYN_SET)	941	&& ct->proto.tcp.last_index == TCP_SYN_SET)
924	\|\| (!test_bit(IPS_ASSURED_BIT, &ct->status)	942	\|\| (!test_bit(IPS_ASSURED_BIT, &ct->status)