netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option

The clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues connecting to websites if there was no MSS option present in the original SYN packet from the client. In these cases, it may add a MSS higher than the default specified in RFC879. Fix this by never setting a value > 536 if no MSS option was specified by the client. This closes netfilter's bugzilla #662. Signed-off-by: N Phil Oester <kernel@linuxace.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option
The clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues connecting to websites if there was no MSS option present in the original SYN packet from the client. In these cases, it may add a MSS higher than the default specified in RFC879. Fix this by never setting a value > 536 if no MSS option was specified by the client. This closes netfilter's bugzilla #662. Signed-off-by: N Phil Oester <kernel@linuxace.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
409b545a · Phil Oester · Pablo Neira Ayuso · 37bc4f8d · 409b545a
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

net/netfilter/xt_TCPMSS.c net/netfilter/xt_TCPMSS.c +6 -0

未找到文件。
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -125,6 +125,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,

 	skb_put(skb, TCPOLEN_MSS);

+	/* RFC 879 states that the default MSS is 536 without specific
+	 * knowledge that the destination host is prepared to accept larger.
+	 * Since no MSS was provided, we MUST NOT set a value > 536.
+	 */
+	newmss = min(newmss, (u16)536);
+
 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
 	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));