path: root/net
diff options
authorPhil Oester <kernel@linuxace.com>2013-06-04 05:09:27 +0000
committerPablo Neira Ayuso <pablo@netfilter.org>2013-06-05 13:59:22 +0200
commit409b545ac10d9548929557a75ad86540f59a2c83 (patch)
tree2d6be092933a6540dce90a36c10548859f09cc9e /net
parent37bc4f8dfa72fb43b84381abca39cfdbbc8ff2df (diff)
netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option
The clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues connecting to websites if there was no MSS option present in the original SYN packet from the client. In these cases, it may add a MSS higher than the default specified in RFC879. Fix this by never setting a value > 536 if no MSS option was specified by the client. This closes netfilter's bugzilla #662. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a75240f0d42b..afaebc766933 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -125,6 +125,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,
skb_put(skb, TCPOLEN_MSS);
+ /* RFC 879 states that the default MSS is 536 without specific
+ * knowledge that the destination host is prepared to accept larger.
+ * Since no MSS was provided, we MUST NOT set a value > 536.
+ */
+ newmss = min(newmss, (u16)536);
opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));

Privacy Policy