From owner-freebsd-stable  Thu Jan 20 16:38:42 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 23818153FA; Thu, 20 Jan 2000 16:38:34 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA11362;
	Thu, 20 Jan 2000 17:38:15 -0700 (MST)
Message-Id: <4.2.2.20000120173540.01a26100@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Thu, 20 Jan 2000 17:38:13 -0700
To: Warner Losh <imp@village.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? 
Cc: jamiE rishaw - master e*tard <jamiE@arpa.com>,
	Tom <tom@uniserve.com>, Mike Tancsa <mike@sentex.net>,
	freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG,
	security-officer@FreeBSD.ORG
In-Reply-To: <200001210034.RAA06762@harmony.village.org>
References: <Your message of "Thu, 20 Jan 2000 17:32:03 MST." <4.2.2.20000120172607.0198f1e0@localhost>
 <4.2.2.20000120172607.0198f1e0@localhost>
 <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>
 <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca>
 <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hmmm. I haven't started at the stack to see if this is feasible,
but can't the code that implements IPFW's "established" keyword
be used to discard the ACK if it isn't associated with an
active session?

--Brett

At 05:34 PM 1/20/2000 , Warner Losh wrote:
   
>It is a remote exploit.
>
>Warner



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message