• Florian Westphal's avatar
    syncookies: check decoded options against sysctl settings · 8c763681
    Florian Westphal authored
    Discard the ACK if we find options that do not match current sysctl
    settings.
    
    Previously it was possible to create a connection with sack, wscale,
    etc. enabled even if the feature was disabled via sysctl.
    
    Also remove an unneeded call to tcp_sack_reset() in
    cookie_check_timestamp: Both call sites (cookie_v4_check,
    cookie_v6_check) zero "struct tcp_options_received", hand it to
    tcp_parse_options() (which does not change tcp_opt->num_sacks/dsack)
    and then call cookie_check_timestamp().
    
    Even if num_sacks/dsacks were changed, the structure is allocated on
    the stack and after cookie_check_timestamp returns only a few selected
    members are copied to the inet_request_sock.
    Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    8c763681
syncookies.c 7.31 KB