summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>2006-03-22 14:34:42 -0800
committerGreg Kroah-Hartman <gregkh@suse.de>2006-03-27 22:47:30 -0800
commit6f78133bf7a06845afee5bcdff7c276bbceaaf55 (patch)
tree012c99b16d65f72ac2c147aabd7d04ba18a437e0 /net
parent65851bbf2ab375b4c00f4571dfb5c1003625c12f (diff)
downloadlwn-6f78133bf7a06845afee5bcdff7c276bbceaaf55.tar.gz
lwn-6f78133bf7a06845afee5bcdff7c276bbceaaf55.zip
[PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
The problem is in ip_push_pending_frames(), which uses: if (!df) { __ip_select_ident(iph, &rt->u.dst, 0); } else { iph->id = htons(inet->id++); } instead of ip_select_ident(). Right now I think the code is a nonsense. Most likely, I copied it from old ip_build_xmit(), where it was really special, we had to decide whether to generate unique ID when generating the first (well, the last) fragment. In ip_push_pending_frames() it does not make sense, it should use plain ip_select_ident() instead. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/ip_output.c6
1 files changed, 1 insertions, 5 deletions
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 8ee4d016740d..f75ff1d96551 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock *sk)
iph->tos = inet->tos;
iph->tot_len = htons(skb->len);
iph->frag_off = df;
- if (!df) {
- __ip_select_ident(iph, &rt->u.dst, 0);
- } else {
- iph->id = htons(inet->id++);
- }
+ ip_select_ident(iph, &rt->u.dst, sk);
iph->ttl = ttl;
iph->protocol = sk->sk_protocol;
iph->saddr = rt->rt_src;