[PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option
@ 2013-06-04 15:09 Phil Oester
  2013-06-05 12:09 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Phil Oester @ 2013-06-04 15:09 UTC (permalink / raw)
  To: netfilter-devel; +Cc: pablo

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

As reported in bug #662, the clamp-mss-to-pmtu option of the xt_TCPMSS target
can cause issues connecting to websites if there was no MSS option present in
the original SYN packet from the client.  In these cases, it adds an MSS higher
than the default specified in RFC 879.  Fix this by never setting a value > 536
IFF none was specified by the client.  

This closes bug #662.

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>



[-- Attachment #2: patch-662 --]
[-- Type: text/plain, Size: 622 bytes --]

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a75240f..53af7db 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -125,6 +125,13 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 
 	skb_put(skb, TCPOLEN_MSS);
 
+	/*
+	 * RFC 879 states that the default MSS is 536 without specific
+	 * knowledge that the destination host is prepared to accept larger.
+	 * Since no MSS was provided, we MUST NOT set a value > 536.
+	 */
+	newmss = min(newmss, (u16)536);
+
 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
 	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
 

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option
  2013-06-04 15:09 [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option Phil Oester
@ 2013-06-05 12:09 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-05 12:09 UTC (permalink / raw)
  To: Phil Oester; +Cc: netfilter-devel

On Tue, Jun 04, 2013 at 11:09:27AM -0400, Phil Oester wrote:
> As reported in bug #662, the clamp-mss-to-pmtu option of the xt_TCPMSS target
> can cause issues connecting to websites if there was no MSS option present in
> the original SYN packet from the client.  In these cases, it adds an MSS higher
> than the default specified in RFC 879.  Fix this by never setting a value > 536
> IFF none was specified by the client.  
> 
> This closes bug #662.

Applied to the nf tree, thanks Phil.

BTW, this target does not seem to make safe fragmentation handling. We
need a patch similar to:

commit bc6bcb59dd7c184d229f9e86d08aa56059938a4c
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue May 7 03:22:18 2013 +0200

    netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-06-05 12:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-04 15:09 [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option Phil Oester
2013-06-05 12:09 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).