Skip to content

Commit

Permalink
TCP: check min TTL on received ICMP packets
Browse files Browse the repository at this point in the history 
This adds RFC5082 checks for TTL on received ICMP packets.
It adds some security against spoofed ICMP packets
disrupting GTSM protected sessions.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
stephen hemminger authored and David S. Miller committed Mar 20, 2010
1 parent 1041444 commit 97e3ecd
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions net/ipv4/tcp_ipv4.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,11 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
if (sk->sk_state == TCP_CLOSE)
goto out;

if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
goto out;
}

icsk = inet_csk(sk);
tp = tcp_sk(sk);
seq = ntohl(th->seq);
Expand Down

0 comments on commit 97e3ecd

Please sign in to comment.