[PATCH 47/98] netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option
From: Luis Henriques
Date: Thu Jul 11 2013 - 10:42:53 EST
3.5.7.17 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Oester <kernel@xxxxxxxxxxxx>
commit 409b545ac10d9548929557a75ad86540f59a2c83 upstream.
The clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues
connecting to websites if there was no MSS option present in the
original SYN packet from the client. In these cases, it may add a
MSS higher than the default specified in RFC879. Fix this by never
setting a value > 536 if no MSS option was specified by the client.
This closes netfilter's bugzilla #662.
Signed-off-by: Phil Oester <kernel@xxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
---
net/netfilter/xt_TCPMSS.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 71a266d..4960b66 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -124,6 +124,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,
skb_put(skb, TCPOLEN_MSS);
+ /* RFC 879 states that the default MSS is 536 without specific
+ * knowledge that the destination host is prepared to accept larger.
+ * Since no MSS was provided, we MUST NOT set a value > 536.
+ */
+ newmss = min(newmss, (u16)536);
+
opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
--
1.8.1.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/