* [iptables PATCH] extensions: libxt_tcpmss: Detect invalid ranges
@ 2017-10-09 13:47 Phil Sutter
2017-10-17 12:12 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Phil Sutter @ 2017-10-09 13:47 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Previously, an MSS range of e.g. 65535:1000 was silently accepted but
would then never match a packet since the kernel checks whether the MSS
value is greater than or equal to the first *and* less than or equal to
the second value.
Detect this as a parameter problem and update the man page accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
extensions/libxt_tcpmss.c | 6 +++++-
extensions/libxt_tcpmss.man | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index c7c5971716294..bcd357aa3d8e2 100644
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
mssinfo->mss_min = cb->val.u16_range[0];
mssinfo->mss_max = mssinfo->mss_min;
- if (cb->nvals == 2)
+ if (cb->nvals == 2) {
mssinfo->mss_max = cb->val.u16_range[1];
+ if (mssinfo->mss_max < mssinfo->mss_min)
+ xtables_error(PARAMETER_PROBLEM,
+ "tcpmss: invalid range given");
+ }
if (cb->invert)
mssinfo->invert = 1;
}
diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man
index 8ee715cdbfb07..8253c363418f8 100644
--- a/extensions/libxt_tcpmss.man
+++ b/extensions/libxt_tcpmss.man
@@ -1,4 +1,4 @@
This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
.TP
[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
-Match a given TCP MSS value or range.
+Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
--
2.13.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [iptables PATCH] extensions: libxt_tcpmss: Detect invalid ranges
2017-10-09 13:47 [iptables PATCH] extensions: libxt_tcpmss: Detect invalid ranges Phil Sutter
@ 2017-10-17 12:12 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2017-10-17 12:12 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Mon, Oct 09, 2017 at 03:47:39PM +0200, Phil Sutter wrote:
> Previously, an MSS range of e.g. 65535:1000 was silently accepted but
> would then never match a packet since the kernel checks whether the MSS
> value is greater than or equal to the first *and* less than or equal to
> the second value.
>
> Detect this as a parameter problem and update the man page accordingly.
Applied, thanks Phil.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-10-17 12:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-09 13:47 [iptables PATCH] extensions: libxt_tcpmss: Detect invalid ranges Phil Sutter
2017-10-17 12:12 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).