[src/trunk]: src/sys/net/npf npf_tcp_inwindow: inspect the sequence numbers e...

[rmind <rmind%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/3b3eaf97cd13
branches:  trunk
changeset: 781921:3b3eaf97cd13
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sat Oct 06 23:50:17 2012 +0000

description:
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN.  This makes off-path attacks
more difficult.  For the reference, see "Reflection Scan: an Off-Path Attack
on TCP" by Jan Wrobel.

diffstat:

 sys/net/npf/npf_state_tcp.c |  29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

diffs (58 lines):

diff -r d54ae4ff227e -r 3b3eaf97cd13 sys/net/npf/npf_state_tcp.c
--- a/sys/net/npf/npf_state_tcp.c       Sat Oct 06 23:38:20 2012 +0000
+++ b/sys/net/npf/npf_state_tcp.c       Sat Oct 06 23:50:17 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_state_tcp.c,v 1.10 2012/07/21 17:11:02 rmind Exp $ */
+/*     $NetBSD: npf_state_tcp.c,v 1.11 2012/10/06 23:50:17 rmind Exp $ */
 
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.10 2012/07/21 17:11:02 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.11 2012/10/06 23:50:17 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -94,6 +94,8 @@
        [NPF_TCPS_TIME_WAIT]    = 60 * 2 * 2,
 };
 
+static bool npf_strict_order_rst __read_mostly = false;
+
 #define        NPF_TCP_MAXACKWIN       66000
 
 /*
@@ -391,17 +393,20 @@
                /* Workaround for some TCP stacks. */
                ack = tstate->nst_end;
        }
-       if (seq == end) {
-               /* If packet contains no data - assume it is valid. */
-               end = fstate->nst_end;
-               seq = end;
+
+       if (__predict_false(tcpfl & TH_RST)) {
+               /* RST to the initial SYN may have zero SEQ - fix it up. */
+               if (seq == 0 && nst->nst_state == NPF_TCPS_SYN_SENT) {
+                       end = fstate->nst_end;
+                       seq = end;
+               }
+
+               /* Strict in-order sequence for RST packets. */
+               if (npf_strict_order_rst && (fstate->nst_end - seq) > 1) {
+                       return false;
+               }
        }
-#if 0
-       /* Strict in-order sequence for RST packets. */
-       if ((tcpfl & TH_RST) != 0 && (fstate->nst_end - seq) > 1) {
-               return false;
-       }
-#endif
+
        /*
         * Determine whether the data is within previously noted window,
         * that is, upper boundary for valid data (I).