summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2019-06-07 12:38:55 -0700
committerDave Barach <openvpp@barachs.net>2019-06-08 16:41:42 +0000
commitd567a8d51bab6dbd45b70ec99e9b7a1b9ae58e71 (patch)
tree8e137713eaa53ad502f47e22b2d84f9f0ded9084
parent548f75744915c8e1c5e59fb866af0d912d1173a1 (diff)
tcp: send challenge ack for in wnd syn
Type: fix Per rfc793, in window syns for established connections should lead to connection resets. As a mitigation for blind reset attacks, rfc5961 requests that such syns be replied to with challange acks. Change-Id: I75e4972bbb515e48d9cf1bda32ea5d9891d670f0 Signed-off-by: Florin Coras <fcoras@cisco.com>
-rw-r--r--src/vnet/tcp/tcp_input.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/vnet/tcp/tcp_input.c b/src/vnet/tcp/tcp_input.c
index d116af8ac6a..a438709a532 100644
--- a/src/vnet/tcp/tcp_input.c
+++ b/src/vnet/tcp/tcp_input.c
@@ -390,8 +390,9 @@ tcp_segment_validate (tcp_worker_ctx_t * wrk, tcp_connection_t * tc0,
/* 4th: check the SYN bit (in window) */
if (PREDICT_FALSE (tcp_syn (th0)))
{
+ /* As per RFC5961 send challenge ack instead of reset */
+ tcp_program_ack (wrk, tc0);
*error0 = TCP_ERROR_SPURIOUS_SYN;
- tcp_send_reset (tc0);
goto error;
}