Re: [PATCH] xt_TCPMSS: SYN packets are allowed to contain data

From: William Allen Simpson
Date: Tue Jan 19 2010 - 04:17:43 EST

Next message: Oliver Neukum: "Re: [RFC][PATCH] PM: Force GFP_NOIO during suspend/resume (was: Re: [linux-pm] Memory allocations in .suspend became very unreliable)"
Previous message: Oliver Neukum: "Re: [linux-pm] [RFC][PATCH] PM: Force GFP_NOIO during suspend/resume (was: Re: Memory allocations in .suspend became very unreliable)"
In reply to: Simon Arlott: "[PATCH] xt_TCPMSS: SYN packets are allowed to contain data"
Next in thread: Patrick McHardy: "Re: [PATCH] xt_TCPMSS: SYN packets are allowed to contain data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Simon Arlott wrote:

The check for data only needs to apply where the packet length
could be increased by adding the MSS option. (The MSS option
itself applies to the sender's maximum receive size which is
not relevant to any data in its own packet.)

This moves the check for (header size != packet size) to after
attempting to modify an existing MSS option. Another check is
needed before looking through the header to ensure it doesn't
claim to be larger than the packet size.

What's the path from tcp_v[4,6]_rcv() to these tests?

1) Header larger than the packet is already tested in about 5 places,
and my patch "tcp: harmonize tcp_vx_rcv header length assumptions"
tries to get them all down to just *one* test.

2) There certainly *can* be data on SYN. That code is already in
2.6.33....

The ERROR level printk() is also removed as it can be triggered
by remote hosts and is not useful:
[4941777.937417] xt_TCPMSS: bad length (40 bytes)
[4941782.409724] xt_TCPMSS: bad length (40 bytes)
[4941790.762332] xt_TCPMSS: bad length (40 bytes)

Signed-off-by: Simon Arlott <simon@xxxxxxxxxxx>
---
net/netfilter/xt_TCPMSS.c | 21 +++++++++++----------
1 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index eda64c1..76f92bf 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -60,17 +60,9 @@ tcpmss_mangle_packet(struct sk_buff *skb,
tcplen = skb->len - tcphoff;
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
- /* Since it passed flags test in tcp match, we know it is is
- not a fragment, and has data >= tcp header length. SYN
- packets should not contain data: if they did, then we risk
- running over MTU, sending Frag Needed and breaking things
- badly. --RR */
- if (tcplen != tcph->doff*4) {
- if (net_ratelimit())
- printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
- skb->len);
+ /* Header cannot be larger than the packet */
+ if (tcplen < tcph->doff*4)
return -1;
- }
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
if (dst_mtu(skb_dst(skb)) <= minlen) {
@@ -115,6 +107,15 @@ tcpmss_mangle_packet(struct sk_buff *skb,
}
}
+ /* Since it passed flags test in tcp match, we know it is
+ not a fragment, and has data >= tcp header length. SYN
+ packets should not contain data: if they did, then we risk
+ running over MTU, sending Frag Needed and breaking things
+ badly. --RR
+ */
+ if (tcplen > tcph->doff*4)
+ return -1;
+
/*
* MSS Option not found ?! add it..
*/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Oliver Neukum: "Re: [RFC][PATCH] PM: Force GFP_NOIO during suspend/resume (was: Re: [linux-pm] Memory allocations in .suspend became very unreliable)"
Previous message: Oliver Neukum: "Re: [linux-pm] [RFC][PATCH] PM: Force GFP_NOIO during suspend/resume (was: Re: Memory allocations in .suspend became very unreliable)"
In reply to: Simon Arlott: "[PATCH] xt_TCPMSS: SYN packets are allowed to contain data"
Next in thread: Patrick McHardy: "Re: [PATCH] xt_TCPMSS: SYN packets are allowed to contain data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]