From owner-freebsd-security Tue Jan 25 11:24: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id F2C1614D68 for ; Tue, 25 Jan 2000 11:24:01 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id LAA11325; Tue, 25 Jan 2000 11:48:20 -0800 (PST) Date: Tue, 25 Jan 2000 11:48:20 -0800 From: Alfred Perlstein To: Warner Losh Cc: Matthew Dillon , security@FreeBSD.ORG Subject: Re: Merged patches Message-ID: <20000125114820.V26520@fw.wintelcom.net> References: <200001251733.JAA04770@apollo.backplane.com> <200001251637.JAA04226@harmony.village.org> <200001251733.JAA04770@apollo.backplane.com> <200001251736.KAA04666@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200001251736.KAA04666@harmony.village.org>; from imp@village.org on Tue, Jan 25, 2000 at 10:36:10AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Warner Losh [000125 10:40] wrote: > In message <200001251733.JAA04770@apollo.backplane.com> Matthew Dillon writes: > : I'd increase the default to 200, no higher. 1000 is probably too > : high a rate. > > ok. > > : I found a bug in the patch: > : > : : #endif > : :- if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) > : :- goto drop; > : :+ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || > : :+ IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || > : :+ IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr))) > : : #ifdef INET6 > : : if (isipv6) { > : : MALLOC(sin6, struct sockaddr_in6 *, sizeof *sin6, > : > : In the above section, the 'goto drop' was removed. Shouldn't that stay > : in? The body of this 'if' statement is now the conditional that > : follows it, which is not what I think you meant to do. > > You are right.... Uggg, the indenting there is somewhat less than > optimal. Will have ot fix that later. However, here's the corrected > patch. > > Warner > > Index: netinet/tcp_input.c > =================================================================== > RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v > retrieving revision 1.103 > diff -u -r1.103 tcp_input.c > --- netinet/tcp_input.c 2000/01/15 14:56:35 1.103 > +++ netinet/tcp_input.c 2000/01/25 17:35:13 > @@ -615,10 +615,6 @@ > break; > } > } I like this except for the fact that ICMP_BANDLIM isn't on by default, we shouldn't ship something that can fall over. This just adds "yet one more thing" an admin must tweak to have a safe/usable box. I do agree that the code for it should be marked so that people using our stack for reference can maybe define NOICMP_BANDLIM and get the less self-preserving code. Imagine if our inetd didn't offer rate limiting unless it was compiled with certain defines. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message