|
|
43df5c |
From 12852e5c973ef9e5d33c1dc1a21c659f4dc6227b Mon Sep 17 00:00:00 2001
|
|
|
43df5c |
From: Phil Sutter <psutter@redhat.com>
|
|
|
43df5c |
Date: Fri, 11 May 2018 15:28:07 +0200
|
|
|
43df5c |
Subject: [PATCH] extensions: libxt_tcpmss: Detect invalid ranges
|
|
|
43df5c |
|
|
|
43df5c |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1128510
|
|
|
43df5c |
Upstream Status: iptables commit dbbab0aa328f1
|
|
|
43df5c |
|
|
|
43df5c |
commit dbbab0aa328f136502373a1031e64eb53fa113e5
|
|
|
43df5c |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
43df5c |
Date: Mon Oct 9 15:47:39 2017 +0200
|
|
|
43df5c |
|
|
|
43df5c |
extensions: libxt_tcpmss: Detect invalid ranges
|
|
|
43df5c |
|
|
|
43df5c |
Previously, an MSS range of e.g. 65535:1000 was silently accepted but
|
|
|
43df5c |
would then never match a packet since the kernel checks whether the MSS
|
|
|
43df5c |
value is greater than or equal to the first *and* less than or equal to
|
|
|
43df5c |
the second value.
|
|
|
43df5c |
|
|
|
43df5c |
Detect this as a parameter problem and update the man page accordingly.
|
|
|
43df5c |
|
|
|
43df5c |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
43df5c |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
43df5c |
|
|
|
43df5c |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
43df5c |
---
|
|
|
43df5c |
extensions/libxt_tcpmss.c | 6 +++++-
|
|
|
43df5c |
extensions/libxt_tcpmss.man | 2 +-
|
|
|
43df5c |
2 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
43df5c |
|
|
|
43df5c |
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
|
|
|
43df5c |
index c7c5971716294..bcd357aa3d8e2 100644
|
|
|
43df5c |
--- a/extensions/libxt_tcpmss.c
|
|
|
43df5c |
+++ b/extensions/libxt_tcpmss.c
|
|
|
43df5c |
@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb)
|
|
|
43df5c |
xtables_option_parse(cb);
|
|
|
43df5c |
mssinfo->mss_min = cb->val.u16_range[0];
|
|
|
43df5c |
mssinfo->mss_max = mssinfo->mss_min;
|
|
|
43df5c |
- if (cb->nvals == 2)
|
|
|
43df5c |
+ if (cb->nvals == 2) {
|
|
|
43df5c |
mssinfo->mss_max = cb->val.u16_range[1];
|
|
|
43df5c |
+ if (mssinfo->mss_max < mssinfo->mss_min)
|
|
|
43df5c |
+ xtables_error(PARAMETER_PROBLEM,
|
|
|
43df5c |
+ "tcpmss: invalid range given");
|
|
|
43df5c |
+ }
|
|
|
43df5c |
if (cb->invert)
|
|
|
43df5c |
mssinfo->invert = 1;
|
|
|
43df5c |
}
|
|
|
43df5c |
diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man
|
|
|
43df5c |
index 8ee715cdbfb07..8253c363418f8 100644
|
|
|
43df5c |
--- a/extensions/libxt_tcpmss.man
|
|
|
43df5c |
+++ b/extensions/libxt_tcpmss.man
|
|
|
43df5c |
@@ -1,4 +1,4 @@
|
|
|
43df5c |
This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
|
|
|
43df5c |
.TP
|
|
|
43df5c |
[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
|
|
|
43df5c |
-Match a given TCP MSS value or range.
|
|
|
43df5c |
+Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
|
|
|
43df5c |
--
|
|
|
43df5c |
2.17.0
|
|
|
43df5c |
|