Commit 9c5f0745 authored by Harald Welte's avatar Harald Welte Committed by David S. Miller

[NETFILTER] Add IP unused bit check to ipt_unclean.c, from Maciej Soltysiak.

parent f24bd042
...@@ -521,6 +521,16 @@ check_ip(struct iphdr *iph, size_t length, int embedded) ...@@ -521,6 +521,16 @@ check_ip(struct iphdr *iph, size_t length, int embedded)
return 0; return 0;
} }
/* CHECK: Do not use what is unused.
* First bit of fragmentation flags should be unused.
* May be used by OS fingerprinting tools.
* 04 Jun 2002, Maciej Soltysiak, solt@dns.toxicfilms.tv
*/
if (ntohs(iph->frag_off)>>15) {
limpk("IP unused bit set\n");
return 0;
}
/* Per-protocol checks. */ /* Per-protocol checks. */
switch (iph->protocol) { switch (iph->protocol) {
case IPPROTO_ICMP: case IPPROTO_ICMP:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment