projects
/
tinc
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Prevent oracle attacks in the legacy protocol (CVE-2018-16737, CVE-2018-16738)
[tinc]
/
src
/
net_socket.c
diff --git
a/src/net_socket.c
b/src/net_socket.c
index
cd6a5c2
..
15d32db
100644
(file)
--- a/
src/net_socket.c
+++ b/
src/net_socket.c
@@
-41,7
+41,8
@@
int maxtimeout = 900;
int seconds_till_retry = 5;
int udp_rcvbuf = 1024 * 1024;
int udp_sndbuf = 1024 * 1024;
int seconds_till_retry = 5;
int udp_rcvbuf = 1024 * 1024;
int udp_sndbuf = 1024 * 1024;
-int max_connection_burst = 100;
+int max_connection_burst = 10;
+int fwmark;
listen_socket_t listen_socket[MAXSOCKETS];
int listen_sockets;
listen_socket_t listen_socket[MAXSOCKETS];
int listen_sockets;
@@
-85,6
+86,14
@@
static void configure_tcp(connection_t *c) {
option = IPTOS_LOWDELAY;
setsockopt(c->socket, IPPROTO_IPV6, IPV6_TCLASS, (void *)&option, sizeof(option));
#endif
option = IPTOS_LOWDELAY;
setsockopt(c->socket, IPPROTO_IPV6, IPV6_TCLASS, (void *)&option, sizeof(option));
#endif
+
+#if defined(SO_MARK)
+
+ if(fwmark) {
+ setsockopt(c->socket, SOL_SOCKET, SO_MARK, (void *)&fwmark, sizeof(fwmark));
+ }
+
+#endif
}
static bool bind_to_interface(int sd) {
}
static bool bind_to_interface(int sd) {
@@
-184,6
+193,14
@@
int setup_listen_socket(const sockaddr_t *sa) {
#else
#warning IPV6_V6ONLY not defined
#else
#warning IPV6_V6ONLY not defined
+#endif
+
+#if defined(SO_MARK)
+
+ if(fwmark) {
+ setsockopt(nfd, SOL_SOCKET, SO_MARK, (void *)&fwmark, sizeof(fwmark));
+ }
+
#endif
if(get_config_string
#endif
if(get_config_string
@@
-316,6
+333,14
@@
int setup_vpn_in_socket(const sockaddr_t *sa) {
setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option));
}
setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option));
}
+#endif
+
+#if defined(SO_MARK)
+
+ if(fwmark) {
+ setsockopt(nfd, SOL_SOCKET, SO_MARK, (void *)&fwmark, sizeof(fwmark));
+ }
+
#endif
if(!bind_to_interface(nfd)) {
#endif
if(!bind_to_interface(nfd)) {
@@
-647,12
+672,6
@@
void handle_new_meta_connection(void *data, int flags) {
// Check if we get many connections from the same host
static sockaddr_t prev_sa;
// Check if we get many connections from the same host
static sockaddr_t prev_sa;
- static int tarpit = -1;
-
- if(tarpit >= 0) {
- closesocket(tarpit);
- tarpit = -1;
- }
if(!sockaddrcmp_noport(&sa, &prev_sa)) {
static int samehost_burst;
if(!sockaddrcmp_noport(&sa, &prev_sa)) {
static int samehost_burst;
@@
-668,7
+687,7
@@
void handle_new_meta_connection(void *data, int flags) {
samehost_burst++;
if(samehost_burst > max_connection_burst) {
samehost_burst++;
if(samehost_burst > max_connection_burst) {
- tarpit
= fd
;
+ tarpit
(fd)
;
return;
}
}
return;
}
}
@@
-691,7
+710,7
@@
void handle_new_meta_connection(void *data, int flags) {
if(connection_burst >= max_connection_burst) {
connection_burst = max_connection_burst;
if(connection_burst >= max_connection_burst) {
connection_burst = max_connection_burst;
- tarpit
= fd
;
+ tarpit
(fd)
;
return;
}
return;
}
@@
-720,7
+739,6
@@
void handle_new_meta_connection(void *data, int flags) {
connection_add(c);
c->allow_request = ID;
connection_add(c);
c->allow_request = ID;
- send_id(c);
}
#ifndef HAVE_MINGW
}
#ifndef HAVE_MINGW
@@
-757,8
+775,6
@@
void handle_new_unix_connection(void *data, int flags) {
connection_add(c);
c->allow_request = ID;
connection_add(c);
c->allow_request = ID;
-
- send_id(c);
}
#endif
}
#endif