review.tizen.org Git - platform/kernel/linux-stable.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 17 Jul 2012 08:13:05 +0000 (10:13 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 11 Jan 2013 17:07:14 +0000 (09:07 -0800)
commit	34fb350281ced2a72707a5c0064f69992d440edb
tree	91f806c64e65601adf09564a83b4c44f4db080be	tree \| snapshot
parent	c87b45599a4e0d8741abeb85d1d8d5f0c1fb13be	commit \| diff

tcp: implement RFC 5961 3.2

[ Upstream commit 282f23c6ee343126156dd41218b22ece96d747e3 ]

Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Documentation/networking/ip-sysctl.txt		diff \| blob \| history
include/linux/snmp.h		diff \| blob \| history
include/net/tcp.h		diff \| blob \| history
net/ipv4/proc.c		diff \| blob \| history
net/ipv4/sysctl_net_ipv4.c		diff \| blob \| history
net/ipv4/tcp_input.c		diff \| blob \| history