From: Florin Coras <fcoras@cisco.com>
Date: Fri, 7 Jun 2019 19:38:55 +0000 (-0700)
Subject: tcp: send challenge ack for in wnd syn
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=d567a8d51bab6dbd45b70ec99e9b7a1b9ae58e71;p=vpp.git

tcp: send challenge ack for in wnd syn

Type: fix

Per rfc793, in window syns for established connections should lead to
connection resets. As a mitigation for blind reset attacks, rfc5961
requests that such syns be replied to with challange acks.

Change-Id: I75e4972bbb515e48d9cf1bda32ea5d9891d670f0
Signed-off-by: Florin Coras <fcoras@cisco.com>
---

diff --git a/src/vnet/tcp/tcp_input.c b/src/vnet/tcp/tcp_input.c
index d116af8ac6a..a438709a532 100644
--- a/src/vnet/tcp/tcp_input.c
+++ b/src/vnet/tcp/tcp_input.c
@@ -390,8 +390,9 @@ tcp_segment_validate (tcp_worker_ctx_t * wrk, tcp_connection_t * tc0,
   /* 4th: check the SYN bit (in window) */
   if (PREDICT_FALSE (tcp_syn (th0)))
     {
+      /* As per RFC5961 send challenge ack instead of reset */
+      tcp_program_ack (wrk, tc0);
       *error0 = TCP_ERROR_SPURIOUS_SYN;
-      tcp_send_reset (tc0);
       goto error;
     }