diff options
| author |   Florin Coras <fcoras@cisco.com> | 2019-06-07 12:38:55 -0700 |
|---|---|---|
| committer |   Dave Barach <openvpp@barachs.net> | 2019-06-08 16:41:42 +0000 |
| commit | d567a8d51bab6dbd45b70ec99e9b7a1b9ae58e71 (patch) | |
| tree | 8e137713eaa53ad502f47e22b2d84f9f0ded9084 /src/vnet | |
| parent | 548f75744915c8e1c5e59fb866af0d912d1173a1 (diff) | |
tcp: send challenge ack for in wnd syn
Type: fix
Per rfc793, in window syns for established connections should lead to
connection resets. As a mitigation for blind reset attacks, rfc5961
requests that such syns be replied to with challange acks.
Change-Id: I75e4972bbb515e48d9cf1bda32ea5d9891d670f0
Signed-off-by: Florin Coras <fcoras@cisco.com>
Diffstat (limited to 'src/vnet')
| -rw-r--r-- | src/vnet/tcp/tcp_input.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/vnet/tcp/tcp_input.c b/src/vnet/tcp/tcp_input.c index d116af8ac6a..a438709a532 100644 --- a/src/vnet/tcp/tcp_input.c +++ b/src/vnet/tcp/tcp_input.c @@ -390,8 +390,9 @@ tcp_segment_validate (tcp_worker_ctx_t * wrk, tcp_connection_t * tc0, /* 4th: check the SYN bit (in window) */ if (PREDICT_FALSE (tcp_syn (th0))) { + /* As per RFC5961 send challenge ack instead of reset */ + tcp_program_ack (wrk, tc0); *error0 = TCP_ERROR_SPURIOUS_SYN; - tcp_send_reset (tc0); goto error; } |