patch-2.4.21 linux-2.4.21/net/ipv4/netfilter/ipt_unclean.c
Next file: linux-2.4.21/net/ipv4/netfilter/iptable_mangle.c
Previous file: linux-2.4.21/net/ipv4/netfilter/ipt_multiport.c
Back to the patch index
Back to the overall index
- Lines: 17
- Date:
2003-06-13 07:51:39.000000000 -0700
- Orig file:
linux-2.4.20/net/ipv4/netfilter/ipt_unclean.c
- Orig date:
2002-11-28 15:53:15.000000000 -0800
diff -urN linux-2.4.20/net/ipv4/netfilter/ipt_unclean.c linux-2.4.21/net/ipv4/netfilter/ipt_unclean.c
@@ -521,6 +521,16 @@
return 0;
}
+ /* CHECK: Do not use what is unused.
+ * First bit of fragmentation flags should be unused.
+ * May be used by OS fingerprinting tools.
+ * 04 Jun 2002, Maciej Soltysiak, solt@dns.toxicfilms.tv
+ */
+ if (ntohs(iph->frag_off)>>15) {
+ limpk("IP unused bit set\n");
+ return 0;
+ }
+
/* Per-protocol checks. */
switch (iph->protocol) {
case IPPROTO_ICMP:
FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)