[PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Phil Oester <kernel@linuxace.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option
Date: Tue, 4 Jun 2013 11:09:27 -0400	[thread overview]
Message-ID: <20130604150927.GA9108@gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

As reported in bug #662, the clamp-mss-to-pmtu option of the xt_TCPMSS target
can cause issues connecting to websites if there was no MSS option present in
the original SYN packet from the client.  In these cases, it adds an MSS higher
than the default specified in RFC 879.  Fix this by never setting a value > 536
IFF none was specified by the client.  

This closes bug #662.

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>



[-- Attachment #2: patch-662 --]
[-- Type: text/plain, Size: 622 bytes --]

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a75240f..53af7db 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -125,6 +125,13 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 
 	skb_put(skb, TCPOLEN_MSS);
 
+	/*
+	 * RFC 879 states that the default MSS is 536 without specific
+	 * knowledge that the destination host is prepared to accept larger.
+	 * Since no MSS was provided, we MUST NOT set a value > 536.
+	 */
+	newmss = min(newmss, (u16)536);
+
 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
 	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));

next             reply	other threads:[~2013-06-04 15:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-04 15:09 Phil Oester [this message]
2013-06-05 12:09 ` [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a75240f dfblob:53af7db )
 OR (
bs:"[PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130604150927.GA9108@gmail.com \
    --to=kernel@linuxace.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).