From d567a8d51bab6dbd45b70ec99e9b7a1b9ae58e71 Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Fri, 7 Jun 2019 12:38:55 -0700 Subject: tcp: send challenge ack for in wnd syn Type: fix Per rfc793, in window syns for established connections should lead to connection resets. As a mitigation for blind reset attacks, rfc5961 requests that such syns be replied to with challange acks. Change-Id: I75e4972bbb515e48d9cf1bda32ea5d9891d670f0 Signed-off-by: Florin Coras --- src/vnet/tcp/tcp_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/vnet') diff --git a/src/vnet/tcp/tcp_input.c b/src/vnet/tcp/tcp_input.c index d116af8ac6a..a438709a532 100644 --- a/src/vnet/tcp/tcp_input.c +++ b/src/vnet/tcp/tcp_input.c @@ -390,8 +390,9 @@ tcp_segment_validate (tcp_worker_ctx_t * wrk, tcp_connection_t * tc0, /* 4th: check the SYN bit (in window) */ if (PREDICT_FALSE (tcp_syn (th0))) { + /* As per RFC5961 send challenge ack instead of reset */ + tcp_program_ack (wrk, tc0); *error0 = TCP_ERROR_SPURIOUS_SYN; - tcp_send_reset (tc0); goto error; } -- cgit 1.2.3-korg