netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook

In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but
the real server maybe reply an icmp error packet related to the exist
tcp conntrack, so we will access wrong tcp data.

Fix it by checking for the protocol field and only process tcp traffic.

Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Lin Zhang 2017-10-06 00:44:03 +08:00 committed by Pablo Neira Ayuso
parent e466af75c0
commit 49f817d793
2 changed files with 3 additions and 2 deletions

View File

@ -330,7 +330,8 @@ static unsigned int ipv4_synproxy_hook(void *priv,
if (synproxy == NULL) if (synproxy == NULL)
return NF_ACCEPT; return NF_ACCEPT;
if (nf_is_loopback_packet(skb)) if (nf_is_loopback_packet(skb) ||
ip_hdr(skb)->protocol != IPPROTO_TCP)
return NF_ACCEPT; return NF_ACCEPT;
thoff = ip_hdrlen(skb); thoff = ip_hdrlen(skb);

View File

@ -353,7 +353,7 @@ static unsigned int ipv6_synproxy_hook(void *priv,
nexthdr = ipv6_hdr(skb)->nexthdr; nexthdr = ipv6_hdr(skb)->nexthdr;
thoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, thoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
&frag_off); &frag_off);
if (thoff < 0) if (thoff < 0 || nexthdr != IPPROTO_TCP)
return NF_ACCEPT; return NF_ACCEPT;
th = skb_header_pointer(skb, thoff, sizeof(_th), &_th); th = skb_header_pointer(skb, thoff, sizeof(_th), &_th);