patch-1.3.22 linux/net/ipv4/ip_fw.c
Next file: linux/net/ipv4/ipip.c
Previous file: linux/net/ipv4/ip.c
Back to the patch index
Back to the overall index
- Lines: 68
- Date:
Fri Sep 1 14:31:56 1995
- Orig file:
v1.3.21/linux/net/ipv4/ip_fw.c
- Orig date:
Mon Aug 28 14:52:26 1995
diff -u --recursive --new-file v1.3.21/linux/net/ipv4/ip_fw.c linux/net/ipv4/ip_fw.c
@@ -22,6 +22,8 @@
* Established connections (ACK check), ACK check on bidirectional rules,
* ICMP type check.
* Wilfred Mollenvanger 7/7/1995.
+ * TCP attack protection.
+ * Alan Cox 25/8/95, based on information from bugtraq.
*
* Masquerading functionality
*
@@ -37,6 +39,9 @@
* Pauline Middelink : Added masquerading.
* Alan Cox : Fixed an error in the merge.
*
+ * TODO:
+ * Fix the PORT spoof crash.
+ *
* All the real work was done by .....
*
*/
@@ -190,6 +195,7 @@
unsigned short f_prt=0, prt;
char notcpsyn=1, notcpack=1, frag1, match;
unsigned short f_flag;
+ unsigned short offset;
/*
* If the chain is empty follow policy. The BSD one
@@ -214,11 +220,38 @@
* of system.
*/
- frag1 = ((ntohs(ip->frag_off) & IP_OFFSET) == 0);
+ offset = ntohs(ip->frag_off) & IP_OFFSET;
+
+ frag1 = (offset == 0);
+
+ /*
+ * Don't allow a fragment of TCP 8 bytes in. Nobody
+ * normal causes this. Its a cracker trying to break
+ * in by doing a flag overwrite to pass the direction
+ * checks.
+ */
+
+ if (offset == 1 && ip->protocol == IPPROTO_TCP)
+ return 0;
+
if (!frag1 && (opt != 1) && (ip->protocol == IPPROTO_TCP ||
ip->protocol == IPPROTO_UDP))
return(1);
-
+
+ /*
+ * Header fragment for TCP is too small to check the bits.
+ */
+
+ if(ip->protocol==IPPROTO_TCP && (ip->ihl<<2)+16 > ntohs(ip->tot_len))
+ return 0;
+
+ /*
+ * Too short.
+ */
+
+ else if(ntohs(ip->tot_len)<8+(ip->ihl<<2))
+ return 0;
+
src = ip->saddr;
dst = ip->daddr;
FUNET's LINUX-ADM group, [email protected]
TCL-scripts by Sam Shen, [email protected]
with Sam's (original) version of this