- patches.kabi/0001-Revert-tcp-RFC-5961-5.2-Blind-Data-Injection-Attack-.patch:
[opensuse:kernel-source.git] / patches.kabi / 0001-Revert-tcp-RFC-5961-5.2-Blind-Data-Injection-Attack-.patch
1 From: Jiri Slaby <jslaby@suse.cz>
2 Subject: Revert "tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation"
3 Patch-mainline: never, kABI
4
5 This reverts commit 8d15569e14cfcf9151e9e3b4c0cb98369943a2bb, upstream
6 commit 354e4aa391ed50a4d827ff6fc11e0667d0859b25. We cannot take these
7 patches as they change public SNMP interface indices.
8
9 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
10 ---
11  net/ipv4/tcp_input.c |   43 ++++++++++++++++++-------------------------
12  1 file changed, 18 insertions(+), 25 deletions(-)
13
14 --- a/net/ipv4/tcp_input.c
15 +++ b/net/ipv4/tcp_input.c
16 @@ -3639,24 +3639,6 @@ static int tcp_process_frto(struct sock
17         return 0;
18  }
19  
20 -/* RFC 5961 7 [ACK Throttling] */
21 -static void tcp_send_challenge_ack(struct sock *sk)
22 -{
23 -       /* unprotected vars, we dont care of overwrites */
24 -       static u32 challenge_timestamp;
25 -       static unsigned int challenge_count;
26 -       u32 now = jiffies / HZ;
27 -
28 -       if (now != challenge_timestamp) {
29 -               challenge_timestamp = now;
30 -               challenge_count = 0;
31 -       }
32 -       if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
33 -               NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
34 -               tcp_send_ack(sk);
35 -       }
36 -}
37 -
38  static void tcp_store_ts_recent(struct tcp_sock *tp)
39  {
40         tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;
41 @@ -3694,14 +3676,8 @@ static int tcp_ack(struct sock *sk, stru
42         /* If the ack is older than previous acks
43          * then we can probably ignore it.
44          */
45 -       if (before(ack, prior_snd_una)) {
46 -               /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
47 -               if (before(ack, prior_snd_una - tp->max_window)) {
48 -                       tcp_send_challenge_ack(sk);
49 -                       return -1;
50 -               }
51 +       if (before(ack, prior_snd_una))
52                 goto old_ack;
53 -       }
54  
55         /* If the ack includes data we haven't sent yet, discard
56          * this segment (RFC793 Section 3.9).
57 @@ -5201,6 +5177,23 @@ out:
58  }
59  #endif /* CONFIG_NET_DMA */
60  
61 +static void tcp_send_challenge_ack(struct sock *sk)
62 +{
63 +       /* unprotected vars, we dont care of overwrites */
64 +       static u32 challenge_timestamp;
65 +       static unsigned int challenge_count;
66 +       u32 now = jiffies / HZ;
67 +
68 +       if (now != challenge_timestamp) {
69 +               challenge_timestamp = now;
70 +               challenge_count = 0;
71 +       }
72 +       if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
73 +               NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
74 +               tcp_send_ack(sk);
75 +       }
76 +}
77 +
78  /* Does PAWS and seqno based validation of an incoming segment, flags will
79   * play significant role here.
80   */