Fw: [patch] tcp connection tracking 2.4.19

Fw: [patch] tcp connection tracking 2.4.19

[David S. Miller]

[-- Attachment #1: Type: Message/Rfc822, Size: 4775 bytes --]

From: Martin Renold <martinxyz@gmx.ch>
To: linux-kernel@vger.kernel.org
Subject: [patch] tcp connection tracking 2.4.19
Date: Tue, 8 Oct 2002 22:50:54 +0200
Message-ID: <20021008205053.GA2621@old.homeip.net>

hi,

There is a bug in the stable 2.4.19 kernel in the ip_conntrack code that
allows the final ACK of a SYN - SYN/ACK - ACK tcp handshake to establish
an ASSURED connection even if it has a wrong sequence number. The current
code only checks the ACK number.

This allows a DoS attack that will make it impossible to establish *real*
connections for some days, once the maximum is reached. Somebody sent me
an exploit:

http://old.homeip.net/martin/cdos.tgz

So I wrote a simple patch against 2.4.19, but I must admit that I do not
really understand the code around it, especially why it does not mark
such a packet as invalid (I'm new to most things here).

diff -urN -X dontdiff kernel-source-2.4.19.origin/include/linux/netfilter_ipv4/ip_conntrack_tcp.h kernel-source-2.4.19.patch/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
--- kernel-source-2.4.19.origin/include/linux/netfilter_ipv4/ip_conntrack_tcp.h	Fri Aug  4 22:07:24 2000
+++ kernel-source-2.4.19.patch/include/linux/netfilter_ipv4/ip_conntrack_tcp.h	Sat Oct  5 19:07:44 2002
@@ -24,8 +24,9 @@
 {
 	enum tcp_conntrack state;
 
-	/* Poor man's window tracking: sequence number of valid ACK
-           handshake completion packet */
+	/* Poor man's window tracking: expected sequence and acknowledge 
+	   number of valid ACK handshake completion packet */
+	u_int32_t handshake_seq;
 	u_int32_t handshake_ack;
 };
 
diff -urN -X dontdiff kernel-source-2.4.19.origin/net/ipv4/netfilter/ip_conntrack_proto_tcp.c kernel-source-2.4.19.patch/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- kernel-source-2.4.19.origin/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	Fri Oct  4 08:13:38 2002
+++ kernel-source-2.4.19.patch/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	Sat Oct  5 20:45:49 2002
@@ -180,6 +180,8 @@
 	if (oldtcpstate == TCP_CONNTRACK_SYN_SENT
 	    && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY
 	    && tcph->syn && tcph->ack)
+		conntrack->proto.tcp.handshake_seq
+			= tcph->ack_seq;
 		conntrack->proto.tcp.handshake_ack
 			= htonl(ntohl(tcph->seq) + 1);
 	WRITE_UNLOCK(&tcp_lock);
@@ -196,6 +198,7 @@
 		if (oldtcpstate == TCP_CONNTRACK_SYN_RECV
 		    && CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL
 		    && tcph->ack && !tcph->syn
+		    && tcph->seq == conntrack->proto.tcp.handshake_seq
 		    && tcph->ack_seq == conntrack->proto.tcp.handshake_ack)
 			set_bit(IPS_ASSURED_BIT, &conntrack->status);
 
-- 
Thunder's just a noise, boys, lightnin' does the work
-- (Chad Brock/John Hadley/Kelly Garrett)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: Fw: [patch] tcp connection tracking 2.4.19

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 813 bytes --]

On Tue, Oct 08, 2002 at 03:00:30PM -0700, David Miller wrote:
> Date: 	Tue, 8 Oct 2002 22:50:54 +0200
> From: Martin Renold <martinxyz@gmx.ch>
> To: linux-kernel@vger.kernel.org
> Subject: [patch] tcp connection tracking 2.4.19

Thanks Dave, we will discuss this in the coreteam and reply to you ASAP.

(jfyi: this 'exploit' is well-known behaviour of the conntrack code,
 and as long as there is no full sequence-number tracking, we will always
 end up with those kind of issues...

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long as
 I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]