Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
prevent RST spoofing 
This fixes CVE-2004-0230 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230)
by sending an ACK instead of closing the connection, when an RST packet is received but does not match the expected sequence number.
If it only matches into the TCP receive window, we send an ACK.
A legimitate RST packet with matching sequence number should follow, otherwise it was probably a spoofing attack by someone guessing a sequencenumber inside the window.

Closes #14
  • Loading branch information
@tabascoeye
tabascoeye committed Sep 18, 2014
1 parent 95b711a commit 5a5452c
Showing 1 changed file with 9 additions and 14 deletions.
23 changes: 9 additions & 14 deletions src/core/tcp_in.c
View file
Expand Up @@ -666,32 +666,27 @@ static err_t
tcp_process(struct tcp_pcb *pcb) tcp_process(struct tcp_pcb *pcb)
{ {
struct tcp_seg *rseg; struct tcp_seg *rseg;
u8_t acceptable = 0;
err_t err; err_t err;


err = ERR_OK; err = ERR_OK;


/* Process incoming RST segments. */ /* Process incoming RST segments. */
if (flags & TCP_RST) { if (flags & TCP_RST) {
/* First, determine if the reset is acceptable. */ /* First, determine if the reset is acceptable. (in case of RST only if the sequence number matches) */
if (pcb->state == SYN_SENT) { if (ackno == pcb->snd_nxt) {
if (ackno == pcb->snd_nxt) {
acceptable = 1;
}
} else {
if (TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt,
pcb->rcv_nxt+pcb->rcv_wnd)) {
acceptable = 1;
}
}

if (acceptable) {
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_process: Connection RESET\n")); LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_process: Connection RESET\n"));
LWIP_ASSERT("tcp_input: pcb->state != CLOSED", pcb->state != CLOSED); LWIP_ASSERT("tcp_input: pcb->state != CLOSED", pcb->state != CLOSED);
recv_flags |= TF_RESET; recv_flags |= TF_RESET;
pcb->flags &= ~TF_ACK_DELAY; pcb->flags &= ~TF_ACK_DELAY;
return ERR_RST; return ERR_RST;
} else { } else {
/* if the sequence number is inside the window, we only send an ACK
and wait for a re-send with matching sequence number.
This is protection against CVE-2004-0230 (RST spoofing attack) */
if (TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt,
pcb->rcv_nxt+pcb->rcv_wnd)) {
tcp_ack_now(pcb);
}
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_process: unacceptable reset seqno %"U32_F" rcv_nxt %"U32_F"\n", LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_process: unacceptable reset seqno %"U32_F" rcv_nxt %"U32_F"\n",
seqno, pcb->rcv_nxt)); seqno, pcb->rcv_nxt));
LWIP_DEBUGF(TCP_DEBUG, ("tcp_process: unacceptable reset seqno %"U32_F" rcv_nxt %"U32_F"\n", LWIP_DEBUGF(TCP_DEBUG, ("tcp_process: unacceptable reset seqno %"U32_F" rcv_nxt %"U32_F"\n",
Expand Down

0 comments on commit 5a5452c

Please sign in to comment.