netflix / security-bulletins Goto Github PK

I believe the IP tables rule should be updated with a top insert to ensure that the packet does not get accepted prior to the appended rule and that to further ensure no issues it should be added to the mangle table which is the lead of the stack.

iptables -t mangle -I INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

my os centos6 kernel is :2.6.32-504.3.3.el6.x86_64

I don't think there's anything to ensure it is not evaluating any four bytes of timestamp's eight bytes of values. Re-transmitted segments with newer TS values are less likely to also be matched erroneously (except for maybe echo values on SYN|ACKs) but the session might have to pay the initial rto penalty.

The page says: "We thank Jonathan Lemon and Alexey Kodanev for helping to improve the Linux patches."

Please amend that to:

"We thank Jonathan Lemon,. Alexey Kodanev and Joao Martins for helping to improve the Linux patches."

Alexey reported the bug. Joao found the solution.

Thank you!

Hi ,

In PATCH_net_1_4.patch have 5 files modifications/changes.

net/ipv4/tcp_output.c modification lines are not available in following kernel version in Centos.

Kernel versions :-
3.10.0-693.11.6.el7.x86_64
3.10.0-514.26.2.el7.x86_64
3.10.0-327.36.3.el7.x86_64

Not available lines :

@@ -2747,7 +2747,7 @@ static bool tcp_collapse_retrans(struct sock *sk, struct sk_buff *skb)
 		if (next_skb_size <= skb_availroom(skb))
 			skb_copy_bits(next_skb, 0, skb_put(skb, next_skb_size),
 				      next_skb_size);
-		else if (!skb_shift(skb, next_skb, next_skb_size))
+		else if (!tcp_skb_shift(skb, next_skb, 1, next_skb_size))
 			return false;
 	}
 	tcp_highest_sack_replace(sk, next_skb, skb);

Due to this kpatch got failed .Please check and do the needful.

Regards,
Senthil