CVE Request -- kernel: tcp: drop SYN+FIN messages

[John Haxby <john.haxby () oracle com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Recently we have a couple of queries relating to a Nessus "TCP/IP
SYN+FIN Packet Filtering Weakness".   This has not been helped by the
fact that [1] actually points (indrectly) to CVE-2002-2438 which is
actually a SYN+RST problem.

The Nessus script actually appears to detect this problem (also
described in [2]):

commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa
Author: Eric Dumazet <eric.dumazet () gmail com>
Date:   Fri Dec 2 23:41:42 2011 +0000

    tcp: drop SYN+FIN messages
   
    Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
    linux machines to their limits.
   
    Dont call conn_request() if the TCP flags includes SYN flag
   
    Reported-by: Denys Fedoryshchenko <denys () visp net lb>
    Signed-off-by: Eric Dumazet <eric.dumazet () gmail com>
    Signed-off-by: David S. Miller <davem () davemloft net>

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 78dd38c..0cbb440 100644
- --- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5811,6 +5811,8 @@ int tcp_rcv_state_process(struct sock *sk, struct
sk_buff *skb,
             goto discard;
 
         if (th->syn) {
+            if (th->fin)
+                goto discard;
             if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
                 return 1;
 

References:
[1] http://www.nessus.org/plugins/index.php?view=single&id=11618
[2] http://markmail.org/thread/l6y5vu3tub434z4w
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/F7AoACgkQRQu7fpQvo8iHgwD+K4uHEOheYdcAopAYWUDystWm
KfrN/P2vvbM8vJ7PxvYA/3WX3KE87EdiGScqhZWXI0/A1PPe+yTVM5+1iwqCR4hk
=OtXl
-----END PGP SIGNATURE-----