From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 31 Aug 2012 09:55:54 +0000 (+0000)
Subject: netfilter: Validate the sequence number of dataless ACK packets as well
X-Git-Tag: v3.2.35~68
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58fd4b237523afd2a925ccc664d35f0334da4ffd;p=pandora-kernel.git

netfilter: Validate the sequence number of dataless ACK packets as well

commit 4a70bbfaef0361d27272629d1a250a937edcafe4 upstream.

We spare nothing by not validating the sequence number of dataless
ACK packets and enabling it makes harder off-path attacks.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed