Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 49f817d7 authored Oct 06, 2017 by Lin Zhang Committed by Pablo Neira Ayuso Oct 09, 2017

netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook



In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but
the real server maybe reply an icmp error packet related to the exist
tcp conntrack, so we will access wrong tcp data.

Fix it by checking for the protocol field and only process tcp traffic.

Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent e466af75

net/ipv4/netfilter/ipt_SYNPROXY.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -330,7 +330,8 @@ static unsigned int ipv4_synproxy_hook(void *priv,
		if (synproxy == NULL)
		return NF_ACCEPT;

		if (nf_is_loopback_packet(skb))
		if (nf_is_loopback_packet(skb) \|\|
		ip_hdr(skb)->protocol != IPPROTO_TCP)
		return NF_ACCEPT;

		thoff = ip_hdrlen(skb);

net/ipv6/netfilter/ip6t_SYNPROXY.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -353,7 +353,7 @@ static unsigned int ipv6_synproxy_hook(void *priv,
		nexthdr = ipv6_hdr(skb)->nexthdr;
		thoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
		&frag_off);
		if (thoff < 0)
		if (thoff < 0 \|\| nexthdr != IPPROTO_TCP)
		return NF_ACCEPT;

		th = skb_header_pointer(skb, thoff, sizeof(_th), &_th);