1From adbc5b5f716d108966bcf606e61de60b83f525a5 Mon Sep 17 00:00:00 2001 2From: Simon Goldschmidt <goldsimon@gmx.de> 3Date: Thu, 5 Mar 2020 21:20:35 +0100 4Subject: [PATCH] tcp: tighten up checks for received SYN 5Any malicous segment could contain a SYN up to now (no check). 6A SYN in the wrong segment could break OOSEQ queueing. 7Fix this by allowing SYN only in states where it is required. 8See bug #56397: Assert "tcp_receive: ooseq tcplen > rcv_wnd" 9Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de> 10Conflict: NA 11Reference: https://git.savannah.gnu.org/cgit/lwip.git/commit/?id=adbc5b5f716d108966bcf606e61de60b83f525a5 12--- 13 src/core/tcp_in.c | 17 +++++++++++++---- 14 1 file changed, 13 insertions(+), 4 deletions(-) 15diff --git a/src/core/tcp_in.c b/src/core/tcp_in.c 16index 4bfba85f..90061281 100644 17--- a/src/core/tcp_in.c 18+++ b/src/core/tcp_in.c 19@@ -852,6 +852,13 @@ tcp_process(struct tcp_pcb *pcb) 20 21 tcp_parseopt(pcb); 22 23+ if (flags & TCP_SYN) { 24+ /* accept SYN only in 2 states: */ 25+ if ((pcb->state != SYN_SENT) && (pcb->state != SYN_RCVD)) { 26+ return ERR_OK; 27+ } 28+ } 29+ 30 /* Do different things depending on the TCP state. */ 31 switch (pcb->state) { 32 case SYN_SENT: 33@@ -924,7 +931,12 @@ tcp_process(struct tcp_pcb *pcb) 34 } 35 break; 36 case SYN_RCVD: 37- if (flags & TCP_ACK) { 38+ if (flags & TCP_SYN) { 39+ if (seqno == pcb->rcv_nxt - 1) { 40+ /* Looks like another copy of the SYN - retransmit our SYN-ACK */ 41+ tcp_rexmit(pcb); 42+ } 43+ } else if (flags & TCP_ACK) { 44 /* expected ACK number? */ 45 if (TCP_SEQ_BETWEEN(ackno, pcb->lastack + 1, pcb->snd_nxt)) { 46 pcb->state = ESTABLISHED; 47@@ -975,9 +987,6 @@ tcp_process(struct tcp_pcb *pcb) 48 tcp_rst(pcb, ackno, seqno + tcplen, ip_current_dest_addr(), 49 ip_current_src_addr(), tcphdr->dest, tcphdr->src); 50 } 51- } else if ((flags & TCP_SYN) && (seqno == pcb->rcv_nxt - 1)) { 52- /* Looks like another copy of the SYN - retransmit our SYN-ACK */ 53- tcp_rexmit(pcb); 54 } 55 break; 56 case CLOSE_WAIT: 57-- 582.28.0.windows.1 59