netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook

In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but the real server maybe reply an icmp error packet related to the exist tcp conntrack, so we will access wrong tcp data. Fix it by checking for the protocol field and only process tcp traffic. Signed-off-by: Lin Zhang <xiaolou4617@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Lin Zhang <xiaolou4617@gmail.com> 2017-10-06 00:44:03 +0800
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2017-10-09 13:08:39 +0200
commit: 49f817d793d1bcc11d721881aac037b996feef5c (patch)
tree: f1525ecf75e8f4e4d7c9ffca73f2b097cb4c424a /net/ipv4/netfilter/ipt_SYNPROXY.c
parent: e466af75c074e76107ae1cd5a2823e9c61894ffb (diff)
download: linux-49f817d793d1bcc11d721881aac037b996feef5c.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 811689e523c31..f75fc6b531152 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -330,7 +330,8 @@ static unsigned int ipv4_synproxy_hook(void *priv,
 	if (synproxy == NULL)
 		return NF_ACCEPT;
 
-	if (nf_is_loopback_packet(skb))
+	if (nf_is_loopback_packet(skb) ||
+	    ip_hdr(skb)->protocol != IPPROTO_TCP)
 		return NF_ACCEPT;
 
 	thoff = ip_hdrlen(skb);
author	Lin Zhang <xiaolou4617@gmail.com>	2017-10-06 00:44:03 +0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-10-09 13:08:39 +0200
commit	49f817d793d1bcc11d721881aac037b996feef5c (patch)
tree	f1525ecf75e8f4e4d7c9ffca73f2b097cb4c424a /net/ipv4/netfilter/ipt_SYNPROXY.c
parent	e466af75c074e76107ae1cd5a2823e9c61894ffb (diff)
download	linux-49f817d793d1bcc11d721881aac037b996feef5c.tar.gz