• Eric Dumazet's avatar
    tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation · 354e4aa3
    Eric Dumazet authored
    RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]
      All TCP stacks MAY implement the following mitigation.  TCP stacks
      that implement this mitigation MUST add an additional input check to
      any incoming segment.  The ACK value is considered acceptable only if
      it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
      SND.NXT).  All incoming segments whose ACK value doesn't satisfy the
      above condition MUST be discarded and an ACK sent back.
    Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Cc: Jerry Chu <hkchu@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>