[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: NPF: TCP options
Le 08/03/2018 à 14:40, Maxime Villard a écrit :
Le 08/03/2018 à 13:01, Joerg Sonnenberger a écrit :
On Thu, Mar 08, 2018 at 09:15:40AM +0100, Maxime Villard wrote:
In NPF we don't check the length of the TCPOPT_MAXSEG and TCPOPT_WINDOW
options. That's a problem, if the length is bogus we should ignore these
options, just like the kernel does in tcp_dooptions().
I don't think so. A firewall should drop bogus stuff.
In fact, it _may_ not be correct to drop here. I did give a look at the RFCs
about this (~two weeks ago), and I also looked at FreeBSD, OpenBSD and Linux;
the RFC does not specify the behavior here, and everybody ignores options
with "bogus" lengths without dropping the packet. That's what we've been doing
for a long time too, not sure it is correct to divert from this behavior.
(I say "bogus", but it's not inherently buggy, it's just an unusual size.)
"That's what we've been doing for a long time too, not sure it is
correct to divert from this behavior."
Here, by "we", I'm talking about the kernel, not NPF. NPF does not give a look
at the length.
Main Index |
Thread Index |