Commit 409b545a authored by Phil Oester's avatar Phil Oester Committed by Pablo Neira Ayuso

netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option

The clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues
connecting to websites if there was no MSS option present in the
original SYN packet from the client. In these cases, it may add a
MSS higher than the default specified in RFC879. Fix this by never
setting a value > 536 if no MSS option was specified by the client.

This closes netfilter's bugzilla #662.
Signed-off-by: default avatarPhil Oester <kernel@linuxace.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 37bc4f8d
......@@ -125,6 +125,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,
skb_put(skb, TCPOLEN_MSS);
/* RFC 879 states that the default MSS is 536 without specific
* knowledge that the destination host is prepared to accept larger.
* Since no MSS was provided, we MUST NOT set a value > 536.
*/
newmss = min(newmss, (u16)536);
opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment