Re: Syn Cookies

Andi Kleen (ak@muc.de)
Tue, 28 Dec 1999 16:21:33 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Riley Williams: "Re: Syn Cookies"
Previous message: lars brinkhoff: "Re: CLONE_PTRACE implementation incomplete"

On Tue, Dec 28, 1999 at 03:51:09PM +0100, Riley Williams wrote:
> Hi Andi.
>
> > The appended patch fixes the problem too.
>
> > diff -urN linux-2.2.13/net/ipv4/tcp_ipv4.c linux-2.2.13/net/ipv4/tcp_ipv4.c
> > --- linux-2.2.13/net/ipv4/tcp_ipv4.c Wed Oct 20 02:14:02 1999
> > +++ linux-2.2.13/net/ipv4/tcp_ipv4.c Mon Nov 1 15:58:04 1999
> > @@ -1615,7 +1615,8 @@
> > sk = tcp_check_req(sk, skb, req);
> > }
> > #ifdef CONFIG_SYN_COOKIES
> > - else if (flg == __constant_htonl(0x00120000)) { > > + else if ((flg & __constant_htonl(0x00120000))==__constant_htonl(0x00100000))
> > + {
> > sk = cookie_v4_check(sk, skb, &(IPCB(skb)->opt));
> > }
> > #endif
>
> Can I confirm that that patch is correct? The old test required both
> bits 17 and 20 to be set, whilst the revised test requires bit 17 to
> be clear instead ???

No, you're in the wrong byte order. Look at the header picture in RFC793.

The test checks for the ACK (bit 12) and the SYN (bit 15) bit.

The old check checks for SYN and ACK both set, the new one checks that ACK
is set and SYN isn't (other flags are and'ed out earlier) This is because
the cookie checks for the third packet in the TCP three way exchange, which
is supposed to be a plain ACK. Check for a syn ack was obviously wrong.

The code before 2.2.11 just used an unconditional else.

In 2.3 this mess is replaced by symbolic flags BTW.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Riley Williams: "Re: Syn Cookies"
Previous message: lars brinkhoff: "Re: CLONE_PTRACE implementation incomplete"