[PATCH 1/1] [CVE-2012-2663] [HARDY] [LUCID] [NATTY] [ONEIRIC] [PRECISE] tcp: drop SYN+FIN messages
Brad Figg
brad.figg at canonical.com
Thu May 31 22:58:54 UTC 2012
From: Eric Dumazet <eric.dumazet at gmail.com>
CVE-2012-2663
BugLink: http://bugs.launchpad.net/bugs/1007091
Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
linux machines to their limits.
Dont call conn_request() if the TCP flags includes SYN flag
Reported-by: Denys Fedoryshchenko <denys at visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
net/ipv4/tcp_input.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 78dd38c..0cbb440 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5811,6 +5811,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
+ if (th->fin)
+ goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
--
1.7.9.5
More information about the kernel-team
mailing list