| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Mar 2010 09:21:11 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: Pekka Savola <pekkas@...core.fi> Cc: Stephen Hemminger <shemminger@...tta.com>, David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH] tcp: Generalized TTL Security Mechanism Le vendredi 19 mars 2010 à 09:58 +0200, Pekka Savola a écrit : > > > But any application using GTSM should be setting IP_TTL socket > option > > to set send TTL. But, not sure if Linux TCP ever sends ICMP > > for existing sessions at all. > > Thanks, Stephen! It's nice to see at least one compliant RFC5082 > implementation ;-) > > Good point that no one should should probably even be sending ICMP > messages for TCP sockets, but on receive side the checks are > important > :-) This requires that any router in the path between the client and server also respects the MINTTL when sending ICMP. Not sure how practical it is... diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 70df409..a9d3ba5 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -367,6 +367,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info) if (sock_owned_by_user(sk)) NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS); + if (iph->ttl < inet_sk(sk)->min_ttl) + goto out; + if (sk->sk_state == TCP_CLOSE) goto out; -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists