From: Phil Sutter Date: Mon, 9 Oct 2017 13:47:39 +0000 (+0200) Subject: extensions: libxt_tcpmss: Detect invalid ranges X-Git-Tag: v1.6.2~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbbab0aa328f136502373a1031e64eb53fa113e5;p=thirdparty%2Fiptables.git extensions: libxt_tcpmss: Detect invalid ranges Previously, an MSS range of e.g. 65535:1000 was silently accepted but would then never match a packet since the kernel checks whether the MSS value is greater than or equal to the first *and* less than or equal to the second value. Detect this as a parameter problem and update the man page accordingly. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c index c7c59717..bcd357aa 100644 --- a/extensions/libxt_tcpmss.c +++ b/extensions/libxt_tcpmss.c @@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb) xtables_option_parse(cb); mssinfo->mss_min = cb->val.u16_range[0]; mssinfo->mss_max = mssinfo->mss_min; - if (cb->nvals == 2) + if (cb->nvals == 2) { mssinfo->mss_max = cb->val.u16_range[1]; + if (mssinfo->mss_max < mssinfo->mss_min) + xtables_error(PARAMETER_PROBLEM, + "tcpmss: invalid range given"); + } if (cb->invert) mssinfo->invert = 1; } diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man index 8ee715cd..8253c363 100644 --- a/extensions/libxt_tcpmss.man +++ b/extensions/libxt_tcpmss.man @@ -1,4 +1,4 @@ This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. .TP [\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] -Match a given TCP MSS value or range. +Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.