upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-18 18:20:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Revert "tcp: mitigate a side channel for detection of TCP connections"

Browse source 
This reverts commit 89cd3740e9.
This commit is contained in:
Franco Fichtner 2025-09-08 12:13:57 +02:00
parent 50cf88be6f
commit ab2281de18
1 changed files with 0 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
sys/netinet/tcp_subr.c
View file

@ -85,7 +85,6 @@
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
#include <netinet/icmp_var.h>
#ifdef INET6
#include <netinet/icmp6.h>
#include <netinet/ip6.h>
@ -2231,13 +2230,6 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
sbintime_t now;
bool send_challenge_ack;
/*
* The sending of a challenge ACK could be triggered by a blind attacker
* to detect an existing TCP connection. To mitigate that, increment
* also the global counter which would be incremented if the attacker
* would have guessed wrongly.
*/
(void)badport_bandlim(BANDLIM_TCP_RST);
if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) {
/* ACK war protection is disabled. */
send_challenge_ack = true;