From 3be710c3e6928f95175515a4a94c501c32b727d6 Mon Sep 17 00:00:00 2001 From: M66B Date: Sat, 6 Feb 2016 08:03:34 +0100 Subject: [PATCH] Native SYN data handling, TCP forward time-out --- app/src/main/jni/netguard/netguard.c | 39 ++++++++++++++++++---------- app/src/main/jni/netguard/netguard.h | 1 + 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/app/src/main/jni/netguard/netguard.c b/app/src/main/jni/netguard/netguard.c index 89a0c33e..3ae16a75 100644 --- a/app/src/main/jni/netguard/netguard.c +++ b/app/src/main/jni/netguard/netguard.c @@ -785,12 +785,12 @@ int get_selects(const struct arguments *args, fd_set *rfds, fd_set *wfds, fd_set FD_SET(t->socket, rfds); if (t->socket > max) max = t->socket; - } - if (t->data_rx != NULL) { - FD_SET(t->socket, wfds); - if (t->socket > max) - max = t->socket; + if (t->data_rx != NULL) { + FD_SET(t->socket, wfds); + if (t->socket > max) + max = t->socket; + } } t = t->next; @@ -1282,6 +1282,7 @@ void check_tcp_sockets(const struct arguments *args, fd_set *rfds, fd_set *wfds, } } else { fwd = 1; + cur->time = time(NULL); confirm += cur->data_rx->confirm; cur->remote_seq = cur->data_rx->seq + cur->data_rx->len; @@ -2191,9 +2192,17 @@ jboolean handle_tcp(const struct arguments *args, syn->data_rx = NULL; syn->next = NULL; - // TODO handle SYN data? - if (datalen) + if (datalen) { log_android(ANDROID_LOG_WARN, "%s SYN data", packet); + syn->data_rx = malloc(sizeof(struct segment)); + syn->data_rx->seq = syn->remote_seq; + syn->data_rx->len = datalen; + syn->data_rx->psh = tcphdr->psh; + syn->data_rx->confirm = 0; + syn->data_rx->data = malloc(datalen); + memcpy(syn->data_rx->data, data, datalen); + syn->data_rx->next = NULL; + } // Open socket syn->socket = open_tcp_socket(args, syn); @@ -2297,8 +2306,10 @@ jboolean handle_tcp(const struct arguments *args, } } - if (tcphdr->rst) { + if (tcphdr->rst /* +ACK */) { // No sequence check + // TODO half-duplex close sequence + // http://tools.ietf.org/html/rfc1122#page-87 log_android(ANDROID_LOG_WARN, "%s received reset", session); cur->state = TCP_TIME_WAIT; return 0; @@ -2310,14 +2321,14 @@ jboolean handle_tcp(const struct arguments *args, // The socket is likely not opened yet // Note: perfect, ordered packet receive assumed - } else if (tcphdr->fin /* ACK */) { - if (cur->state == TCP_ESTABLISHED /* && !tcphdr->ack */) + } else if (tcphdr->fin /* +ACK */) { + if (cur->state == TCP_ESTABLISHED) cur->state = TCP_CLOSE_WAIT; else if (cur->state == TCP_FIN_WAIT1 && tcphdr->ack) cur->state = TCP_TIME_WAIT; else if (cur->state == TCP_FIN_WAIT1 && !tcphdr->ack) cur->state = TCP_CLOSING; - else if (cur->state == TCP_FIN_WAIT2 /* && !tcphdr->ack */) + else if (cur->state == TCP_FIN_WAIT2) cur->state = TCP_TIME_WAIT; else { log_android(ANDROID_LOG_ERROR, "%s invalid FIN", session); @@ -2337,9 +2348,11 @@ jboolean handle_tcp(const struct arguments *args, } if (s != NULL && s->seq == seq) s->confirm = 1; // FIN - else + else { log_android(ANDROID_LOG_ERROR, - "%s no segment for ACK/FIN", session); + "%s no segment for FIN confirm", session); + return 0; + } } } else if (tcphdr->ack) { diff --git a/app/src/main/jni/netguard/netguard.h b/app/src/main/jni/netguard/netguard.h index 4187fdc4..a47c99b1 100644 --- a/app/src/main/jni/netguard/netguard.h +++ b/app/src/main/jni/netguard/netguard.h @@ -22,6 +22,7 @@ #define TCP_IDLE_TIMEOUT 300 // seconds ~net.inet.tcp.keepidle #define TCP_CLOSE_TIMEOUT 30 // seconds #define TCP_KEEP_TIMEOUT 300 // seconds +// https://en.wikipedia.org/wiki/Maximum_segment_lifetime #define UID_DELAY 1 // milliseconds #define UID_DELAYTRY 10 // milliseconds