8 năm trước cách đây · d0e1a1b5a8
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -112,6 +112,7 @@ int sysctl_tcp_invalid_ratelimit __read_mostly = HZ/2;
 
				 #define FLAG_DSACKING_ACK	0x800 /* SACK blocks contained D-SACK info */
			
 
				 #define FLAG_SACK_RENEGING	0x2000 /* snd_una advanced to a sacked seq */
			
 
				 #define FLAG_UPDATE_TS_RECENT	0x4000 /* tcp_replace_ts_recent() */
			
 
				+#define FLAG_NO_CHALLENGE_ACK	0x8000 /* do not call tcp_send_challenge_ack()	*/
			
 
				 
			
 
				 #define FLAG_ACKED		(FLAG_DATA_ACKED|FLAG_SYN_ACKED)
			
 
				 #define FLAG_NOT_DUP		(FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
			
@@ -3568,7 +3569,8 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
 
				 	if (before(ack, prior_snd_una)) {
			
 
				 		/* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
			
 
				 		if (before(ack, prior_snd_una - tp->max_window)) {
			
 
				-			tcp_send_challenge_ack(sk, skb);
			
 
				+			if (!(flag & FLAG_NO_CHALLENGE_ACK))
			
 
				+				tcp_send_challenge_ack(sk, skb);
			
 
				 			return -1;
			
 
				 		}
			
 
				 		goto old_ack;
			
@@ -5951,13 +5953,17 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
 
				 
			
 
				 	/* step 5: check the ACK field */
			
 
				 	acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
			
 
				-				      FLAG_UPDATE_TS_RECENT) > 0;
			
 
				+				      FLAG_UPDATE_TS_RECENT |
			
 
				+				      FLAG_NO_CHALLENGE_ACK) > 0;
			
 
				 
			
 
				+	if (!acceptable) {
			
 
				+		if (sk->sk_state == TCP_SYN_RECV)
			
 
				+			return 1;	/* send one RST */
			
 
				+		tcp_send_challenge_ack(sk, skb);
			
 
				+		goto discard;
			
 
				+	}
			
 
				 	switch (sk->sk_state) {
			
 
				 	case TCP_SYN_RECV:
			
 
				-		if (!acceptable)
			
 
				-			return 1;
			
 
				-
			
 
				 		if (!tp->srtt_us)
			
 
				 			tcp_synack_rtt_meas(sk, req);
			
 
				 
			
@@ -6026,14 +6032,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
 
				 		 * our SYNACK so stop the SYNACK timer.
			
 
				 		 */
			
 
				 		if (req) {
			
 
				-			/* Return RST if ack_seq is invalid.
			
 
				-			 * Note that RFC793 only says to generate a
			
 
				-			 * DUPACK for it but for TCP Fast Open it seems
			
 
				-			 * better to treat this case like TCP_SYN_RECV
			
 
				-			 * above.
			
 
				-			 */
			
 
				-			if (!acceptable)
			
 
				-				return 1;
			
 
				 			/* We no longer need the request sock. */
			
 
				 			reqsk_fastopen_remove(sk, req, false);
			
 
				 			tcp_rearm_rto(sk);