Skip to content

Commit 49f817d

Browse files
Lin Zhangummakynes
Lin Zhang
authored and
ummakynes
committed
netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook
In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but the real server maybe reply an icmp error packet related to the exist tcp conntrack, so we will access wrong tcp data. Fix it by checking for the protocol field and only process tcp traffic. Signed-off-by: Lin Zhang <xiaolou4617@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent e466af7 commit 49f817d

File tree

2 files changed

+3
-2
lines changed

2 files changed

+3
-2
lines changed

net/ipv4/netfilter/ipt_SYNPROXY.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -330,7 +330,8 @@ static unsigned int ipv4_synproxy_hook(void *priv,
330330
if (synproxy == NULL)
331331
return NF_ACCEPT;
332332

333-
if (nf_is_loopback_packet(skb))
333+
if (nf_is_loopback_packet(skb) ||
334+
ip_hdr(skb)->protocol != IPPROTO_TCP)
334335
return NF_ACCEPT;
335336

336337
thoff = ip_hdrlen(skb);

net/ipv6/netfilter/ip6t_SYNPROXY.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -353,7 +353,7 @@ static unsigned int ipv6_synproxy_hook(void *priv,
353353
nexthdr = ipv6_hdr(skb)->nexthdr;
354354
thoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
355355
&frag_off);
356-
if (thoff < 0)
356+
if (thoff < 0 || nexthdr != IPPROTO_TCP)
357357
return NF_ACCEPT;
358358

359359
th = skb_header_pointer(skb, thoff, sizeof(_th), &_th);

0 commit comments

Comments
 (0)