From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 20 Nov 2012 19:35:13 +0000 (-0800)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.53~23^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=044bef62963ee135186b7dad07982ba3e926c573;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	netfilter-mark-syn-ack-packets-as-invalid-from-original-direction.patch
	netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch
	netfilter-validate-the-sequence-number-of-dataless-ack-packets-as-well.patch
---

diff --git a/queue-3.0/netfilter-mark-syn-ack-packets-as-invalid-from-original-direction.patch b/queue-3.0/netfilter-mark-syn-ack-packets-as-invalid-from-original-direction.patch
new file mode 100644
index 00000000000..f69051afa0f
--- /dev/null
+++ b/queue-3.0/netfilter-mark-syn-ack-packets-as-invalid-from-original-direction.patch
@@ -0,0 +1,56 @@
+From 64f509ce71b08d037998e93dd51180c19b2f464c Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Fri, 31 Aug 2012 09:55:53 +0000
+Subject: netfilter: Mark SYN/ACK packets as invalid from original direction
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 64f509ce71b08d037998e93dd51180c19b2f464c upstream.
+
+Clients should not send such packets. By accepting them, we open
+up a hole by wich ephemeral ports can be discovered in an off-path
+attack.
+
+See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
+http://arxiv.org/abs/1201.2074
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c |   19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -159,21 +159,18 @@ static const u8 tcp_conntracks[2][6][TCP
+  *	sCL -> sSS
+  */
+ /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
+-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
++/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
+ /*
+  *	sNO -> sIV	Too late and no reason to do anything
+  *	sSS -> sIV	Client can't send SYN and then SYN/ACK
+  *	sS2 -> sSR	SYN/ACK sent to SYN2 in simultaneous open
+- *	sSR -> sIG
+- *	sES -> sIG	Error: SYNs in window outside the SYN_SENT state
+- *			are errors. Receiver will reply with RST
+- *			and close the connection.
+- *			Or we are not in sync and hold a dead connection.
+- *	sFW -> sIG
+- *	sCW -> sIG
+- *	sLA -> sIG
+- *	sTW -> sIG
+- *	sCL -> sIG
++ *	sSR -> sSR	Late retransmitted SYN/ACK in simultaneous open
++ *	sES -> sIV	Invalid SYN/ACK packets sent by the client
++ *	sFW -> sIV
++ *	sCW -> sIV
++ *	sLA -> sIV
++ *	sTW -> sIV
++ *	sCL -> sIV
+  */
+ /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
+ /*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
diff --git a/queue-3.0/netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch b/queue-3.0/netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch
new file mode 100644
index 00000000000..d1018ae2575
--- /dev/null
+++ b/queue-3.0/netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch
@@ -0,0 +1,45 @@
+From 38fe36a248ec3228f8e6507955d7ceb0432d2000 Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <ulrich.weber@sophos.com>
+Date: Thu, 25 Oct 2012 05:34:45 +0000
+Subject: netfilter: nf_nat: don't check for port change on ICMP tuples
+
+From: Ulrich Weber <ulrich.weber@sophos.com>
+
+commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.
+
+ICMP tuples have id in src and type/code in dst.
+So comparing src.u.all with dst.u.all will always fail here
+and ip_xfrm_me_harder() is called for every ICMP packet,
+even if there was no NAT.
+
+Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/ipv4/netfilter/nf_nat_standalone.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_standalone.c
++++ b/net/ipv4/netfilter/nf_nat_standalone.c
+@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
+ 
+ 		if ((ct->tuplehash[dir].tuple.src.u3.ip !=
+ 		     ct->tuplehash[!dir].tuple.dst.u3.ip) ||
+-		    (ct->tuplehash[dir].tuple.src.u.all !=
++		    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++		     ct->tuplehash[dir].tuple.src.u.all !=
+ 		     ct->tuplehash[!dir].tuple.dst.u.all)
+ 		   )
+ 			return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
+@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
+ 				ret = NF_DROP;
+ 		}
+ #ifdef CONFIG_XFRM
+-		else if (ct->tuplehash[dir].tuple.dst.u.all !=
++		else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++			 ct->tuplehash[dir].tuple.dst.u.all !=
+ 			 ct->tuplehash[!dir].tuple.src.u.all)
+ 			if (ip_xfrm_me_harder(skb))
+ 				ret = NF_DROP;
diff --git a/queue-3.0/netfilter-validate-the-sequence-number-of-dataless-ack-packets-as-well.patch b/queue-3.0/netfilter-validate-the-sequence-number-of-dataless-ack-packets-as-well.patch
new file mode 100644
index 00000000000..20f2908d097
--- /dev/null
+++ b/queue-3.0/netfilter-validate-the-sequence-number-of-dataless-ack-packets-as-well.patch
@@ -0,0 +1,43 @@
+From 4a70bbfaef0361d27272629d1a250a937edcafe4 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Fri, 31 Aug 2012 09:55:54 +0000
+Subject: netfilter: Validate the sequence number of dataless ACK packets as well
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 4a70bbfaef0361d27272629d1a250a937edcafe4 upstream.
+
+We spare nothing by not validating the sequence number of dataless
+ACK packets and enabling it makes harder off-path attacks.
+
+See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
+http://arxiv.org/abs/1201.2074
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c |   10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -628,15 +628,9 @@ static bool tcp_in_window(const struct n
+ 		ack = sack = receiver->td_end;
+ 	}
+ 
+-	if (seq == end
+-	    && (!tcph->rst
+-		|| (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
++	if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
+ 		/*
+-		 * Packets contains no data: we assume it is valid
+-		 * and check the ack value only.
+-		 * However RST segments are always validated by their
+-		 * SEQ number, except when seq == 0 (reset sent answering
+-		 * SYN.
++		 * RST sent answering SYN.
+ 		 */
+ 		seq = end = sender->td_end;
+ 
diff --git a/queue-3.0/series b/queue-3.0/series
index 3c0a97e0eba..7c5f0f15c09 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -16,3 +16,6 @@ net-rps-fix-brokeness-causing-ooo-packets.patch
 tmpfs-change-final-i_blocks-bug-to-warning.patch
 r8169-use-unlimited-dma-burst-for-tx.patch
 kbuild-fix-gcc-x-syntax.patch
+netfilter-validate-the-sequence-number-of-dataless-ack-packets-as-well.patch
+netfilter-mark-syn-ack-packets-as-invalid-from-original-direction.patch
+netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch