--- /dev/null
+From 64f509ce71b08d037998e93dd51180c19b2f464c Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Fri, 31 Aug 2012 09:55:53 +0000
+Subject: netfilter: Mark SYN/ACK packets as invalid from original direction
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 64f509ce71b08d037998e93dd51180c19b2f464c upstream.
+
+Clients should not send such packets. By accepting them, we open
+up a hole by wich ephemeral ports can be discovered in an off-path
+attack.
+
+See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
+http://arxiv.org/abs/1201.2074
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -159,21 +159,18 @@ static const u8 tcp_conntracks[2][6][TCP
+ * sCL -> sSS
+ */
+ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
+-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
++/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
+ /*
+ * sNO -> sIV Too late and no reason to do anything
+ * sSS -> sIV Client can't send SYN and then SYN/ACK
+ * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
+- * sSR -> sIG
+- * sES -> sIG Error: SYNs in window outside the SYN_SENT state
+- * are errors. Receiver will reply with RST
+- * and close the connection.
+- * Or we are not in sync and hold a dead connection.
+- * sFW -> sIG
+- * sCW -> sIG
+- * sLA -> sIG
+- * sTW -> sIG
+- * sCL -> sIG
++ * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open
++ * sES -> sIV Invalid SYN/ACK packets sent by the client
++ * sFW -> sIV
++ * sCW -> sIV
++ * sLA -> sIV
++ * sTW -> sIV
++ * sCL -> sIV
+ */
+ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
+ /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
--- /dev/null
+From 38fe36a248ec3228f8e6507955d7ceb0432d2000 Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <ulrich.weber@sophos.com>
+Date: Thu, 25 Oct 2012 05:34:45 +0000
+Subject: netfilter: nf_nat: don't check for port change on ICMP tuples
+
+From: Ulrich Weber <ulrich.weber@sophos.com>
+
+commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.
+
+ICMP tuples have id in src and type/code in dst.
+So comparing src.u.all with dst.u.all will always fail here
+and ip_xfrm_me_harder() is called for every ICMP packet,
+even if there was no NAT.
+
+Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/ipv4/netfilter/nf_nat_standalone.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_standalone.c
++++ b/net/ipv4/netfilter/nf_nat_standalone.c
+@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
+
+ if ((ct->tuplehash[dir].tuple.src.u3.ip !=
+ ct->tuplehash[!dir].tuple.dst.u3.ip) ||
+- (ct->tuplehash[dir].tuple.src.u.all !=
++ (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++ ct->tuplehash[dir].tuple.src.u.all !=
+ ct->tuplehash[!dir].tuple.dst.u.all)
+ )
+ return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
+@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
+ ret = NF_DROP;
+ }
+ #ifdef CONFIG_XFRM
+- else if (ct->tuplehash[dir].tuple.dst.u.all !=
++ else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++ ct->tuplehash[dir].tuple.dst.u.all !=
+ ct->tuplehash[!dir].tuple.src.u.all)
+ if (ip_xfrm_me_harder(skb))
+ ret = NF_DROP;
--- /dev/null
+From 4a70bbfaef0361d27272629d1a250a937edcafe4 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Fri, 31 Aug 2012 09:55:54 +0000
+Subject: netfilter: Validate the sequence number of dataless ACK packets as well
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 4a70bbfaef0361d27272629d1a250a937edcafe4 upstream.
+
+We spare nothing by not validating the sequence number of dataless
+ACK packets and enabling it makes harder off-path attacks.
+
+See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
+http://arxiv.org/abs/1201.2074
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -628,15 +628,9 @@ static bool tcp_in_window(const struct n
+ ack = sack = receiver->td_end;
+ }
+
+- if (seq == end
+- && (!tcph->rst
+- || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
++ if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
+ /*
+- * Packets contains no data: we assume it is valid
+- * and check the ack value only.
+- * However RST segments are always validated by their
+- * SEQ number, except when seq == 0 (reset sent answering
+- * SYN.
++ * RST sent answering SYN.
+ */
+ seq = end = sender->td_end;
+
tmpfs-change-final-i_blocks-bug-to-warning.patch
r8169-use-unlimited-dma-burst-for-tx.patch
kbuild-fix-gcc-x-syntax.patch
+netfilter-validate-the-sequence-number-of-dataless-ack-packets-as-well.patch
+netfilter-mark-syn-ack-packets-as-invalid-from-original-direction.patch
+netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
