diff --git a/newip/src/linux-5.10/net/newip/tcp_nip_input.c b/newip/src/linux-5.10/net/newip/tcp_nip_input.c index c8ef3a6c056632993bac5fb1e8e0e3e3977ef38f..4e92daaa967505573eba794ed3fd386333b1a87a 100644 --- a/newip/src/linux-5.10/net/newip/tcp_nip_input.c +++ b/newip/src/linux-5.10/net/newip/tcp_nip_input.c @@ -340,7 +340,15 @@ coalesce_done: goto insert; } - if (after(seq, TCP_SKB_CB(tp->ooo_last_skb)->seq)) { + if (!before(seq, TCP_SKB_CB(tp->ooo_last_skb)->seq)) { + if (!after(end_seq, TCP_SKB_CB(tp->ooo_last_skb)->end_seq)) { + /* ooo_last_skb->seq <= seq, end_seq <= ooo_last_skb->end_seq */ + nip_dbg("ooo_last_skb completely overlapping new skb, drop pkt"); + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPOFOMERGE); + tcp_nip_drop(sk, skb); + skb = NULL; + goto end; + } tcp_nip_left_overlap(skb, tp->ooo_last_skb); if (tcp_nip_ooo_try_coalesce(sk, tp->ooo_last_skb, skb, &fragstolen)) { nip_dbg("ofo skb coalesce ooo_last_skb done"); @@ -1074,6 +1082,13 @@ int _tcp_nip_conn_request(struct request_sock_ops *rsk_ops, af_ops->init_req(req, sk, skb); + /* Based on the security context of the socket and packet, + * this function calculates the security context of the connection + * and checks whether establishing a TCP connection is permitted. + */ + if (security_inet_conn_request(sk, skb, req)) + goto drop_and_free; + if (!isn) isn = af_ops->init_seq(skb);