diff options
author | Akansh <7958962+AkanshDivker@users.noreply.github.com> | 2023-01-14 03:14:54 -0500 |
---|---|---|
committer | Travis Geiselbrecht <travisg@gmail.com> | 2023-06-01 12:43:56 -0700 |
commit | 28c615456c4bff815db20351790e42334ac89201 (patch) | |
tree | 8619ba96f44248a796a9f6393aa4e8861cb2f9ab | |
parent | b8e102ecb79b3a12c602d33f0cf5a41429533691 (diff) | |
download | lk-28c615456c4bff815db20351790e42334ac89201.tar.gz |
Fix CVE-2004-0230
Applied patch for CVE-2004-0230 in tcp_in.c which prevents RST Spoofing Attack (Denial of Service).
-rwxr-xr-x | external/lib/lwip/core/tcp_in.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/external/lib/lwip/core/tcp_in.c b/external/lib/lwip/core/tcp_in.c index 4ec971ac..9516bd1b 100755 --- a/external/lib/lwip/core/tcp_in.c +++ b/external/lib/lwip/core/tcp_in.c @@ -584,14 +584,22 @@ tcp_process(struct tcp_pcb *pcb) if (flags & TCP_RST) { /* First, determine if the reset is acceptable. */ if (pcb->state == SYN_SENT) { + /* "In the SYN-SENT state (a RST received in response to an initial SYN), + the RST is acceptable if the ACK field acknowledges the SYN." */ if (ackno == pcb->snd_nxt) { acceptable = 1; } } else { - if (TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt, - pcb->rcv_nxt+pcb->rcv_wnd)) { + /* "In all states except SYN-SENT, all reset (RST) segments are validated + by checking their SEQ-fields." */ + if (seqno == pcb->rcv_nxt) { acceptable = 1; - } + } else if (TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt, pcb->rcv_nxt + pcb->rcv_wnd)) { + /* If the sequence number is inside the window, we only send an ACK + and wait for a re-send with matching sequence number. + This violates RFC 793, but is required to protection against + CVE-2004-0230 (RST spoofing attack). */ + tcp_ack_now(pcb); } if (acceptable) { |