This is a note to let you know that I've just added the patch titled
tcp: drop SYN+FIN messages
to the 3.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-drop-syn-fin-messages.patch
and it can be found in the queue-3.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From fdf5af0daf8019cec2396cdef8fb042d80fe71fa Mon Sep 17 00:00:00 2001
From: Eric Dumazet <[email protected]>
Date: Fri, 2 Dec 2011 23:41:42 +0000
Subject: tcp: drop SYN+FIN messages
From: Eric Dumazet <[email protected]>
commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa upstream.
Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
linux machines to their limits.
Dont call conn_request() if the TCP flags includes SYN flag
Reported-by: Denys Fedoryshchenko <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Ben Hutchings <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/tcp_input.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5761,6 +5761,8 @@ int tcp_rcv_state_process(struct sock *s
goto discard;
if (th->syn) {
+ if (th->fin)
+ goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
Patches currently in stable-queue which might be from [email protected] are
queue-3.0/tcp-drop-syn-fin-messages.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
