Commit 49f817d7 authored by Lin Zhang's avatar Lin Zhang Committed by Pablo Neira Ayuso

netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook

In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but
the real server maybe reply an icmp error packet related to the exist
tcp conntrack, so we will access wrong tcp data.

Fix it by checking for the protocol field and only process tcp traffic.
Signed-off-by: default avatarLin Zhang <xiaolou4617@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent e466af75
...@@ -330,7 +330,8 @@ static unsigned int ipv4_synproxy_hook(void *priv, ...@@ -330,7 +330,8 @@ static unsigned int ipv4_synproxy_hook(void *priv,
if (synproxy == NULL) if (synproxy == NULL)
return NF_ACCEPT; return NF_ACCEPT;
if (nf_is_loopback_packet(skb)) if (nf_is_loopback_packet(skb) ||
ip_hdr(skb)->protocol != IPPROTO_TCP)
return NF_ACCEPT; return NF_ACCEPT;
thoff = ip_hdrlen(skb); thoff = ip_hdrlen(skb);
......
...@@ -353,7 +353,7 @@ static unsigned int ipv6_synproxy_hook(void *priv, ...@@ -353,7 +353,7 @@ static unsigned int ipv6_synproxy_hook(void *priv,
nexthdr = ipv6_hdr(skb)->nexthdr; nexthdr = ipv6_hdr(skb)->nexthdr;
thoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, thoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
&frag_off); &frag_off);
if (thoff < 0) if (thoff < 0 || nexthdr != IPPROTO_TCP)
return NF_ACCEPT; return NF_ACCEPT;
th = skb_header_pointer(skb, thoff, sizeof(_th), &_th); th = skb_header_pointer(skb, thoff, sizeof(_th), &_th);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment