Commit 431280ee authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state 



tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally
to send some control packets.

1) RST packets, through tcp_v4_send_reset()
2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack()

These packets assert IP_DF, and also use the hashed IP ident generator
to provide an IPv4 ID number.

Geoff Alexander reported this could be used to build off-path attacks.

These packets should not be fragmented, since their size is smaller than
IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment,
regardless of inner IPID.

We really can use zero IPID, to address the flaw, and as a bonus,
avoid a couple of atomic operations in ip_idents_reserve()

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reported-by: default avatarGeoff Alexander <alexandg@cs.unm.edu>
Tested-by: default avatarGeoff Alexander <alexandg@cs.unm.edu>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent e500c6d3

net/ipv4/tcp_ipv4.c

+6 −0
Original line number Diff line number Diff line
@@ -2517,6 +2517,12 @@ static int __net_init tcp_sk_init(struct net *net) 
		if (res)

			goto fail;

		sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);



		/* Please enforce IP_DF and IPID==0 for RST and

		 * ACK sent in SYN-RECV and TIME-WAIT state.

		 */

		inet_sk(sk)->pmtudisc = IP_PMTUDISC_DO;



		*per_cpu_ptr(net->ipv4.tcp_sk, cpu) = sk;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE