From owner-freebsd-security Wed Jan 26 14: 0:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 40084156F8 for ; Wed, 26 Jan 2000 14:00:06 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id NAA23205; Wed, 26 Jan 2000 13:59:19 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA10961; Wed, 26 Jan 2000 13:59:19 -0800 Received: from softweyr.com (dyn0.utah.xylan.com [198.206.184.236]) by omni.xylan.com (8.9.3+Sun/8.9.1 (Xylan engr [SPOOL])) with ESMTP id NAA20167; Wed, 26 Jan 2000 13:59:17 -0800 (PST) Message-ID: <388F6F57.9F7E52E@softweyr.com> Date: Wed, 26 Jan 2000 15:04:07 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Warner Losh , geniusj , security@freebsd.org Subject: Re: Merged patches References: <200001251726.KAA04563@harmony.village.org> <388E1C3F.B2056E81@softweyr.com> Content-Type: multipart/mixed; boundary="------------CA0431C31B6036E0255056E7" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------CA0431C31B6036E0255056E7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Wes Peters wrote: > > Warner Losh wrote: > > > > In message geniusj writes: > > : This patch does not seem to apply, using 3.4-STABLE branch did patch < > > : kern.patch from /sys, it applies, but many hunks failed.. Will this be the > > : official patch? You were the one working on it, no? :) > > > > This patch is for -current only. If a different one is needed for > > stable, we'll deal with that then. We're 3 days from code freeze, and > > I want to get something good into 4.0 to help limit the damage here. > > I'm importing this patch to a -STABLE machine now. Hold your horses, I > should be ready to post it in another hour or two. It's already running > on my laptop, but I want to make sure it applies cleanly against the > most up-to-date -STABLE I can get from cvsup8, to avoid complaints. OK, here's the diff, from -STABLE as of late yesterday evening. Anyone following this thread running -CURRENT or any other late model 3.X please test this and report any problems to me. A good eyeballing by others wouldn't hurt either. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ --------------CA0431C31B6036E0255056E7 Content-Type: text/plain; charset=us-ascii; name="tcp_input.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="tcp_input.patch" *** tcp_input.c.orig Thu Oct 14 05:49:38 1999 --- tcp_input.c Tue Jan 25 22:40:29 2000 *************** *** 432,438 **** } tp = intotcpcb(inp); if (tp == 0) ! goto dropwithreset; if (tp->t_state == TCPS_CLOSED) goto drop; --- 432,438 ---- } tp = intotcpcb(inp); if (tp == 0) ! goto maybedropwithreset; if (tp->t_state == TCPS_CLOSED) goto drop; *************** *** 460,466 **** */ if (tiflags & TH_ACK) { tcpstat.tcps_badsyn++; ! goto dropwithreset; } goto drop; } --- 460,466 ---- */ if (tiflags & TH_ACK) { tcpstat.tcps_badsyn++; ! goto maybedropwithreset; } goto drop; } *************** *** 676,682 **** if (tiflags & TH_RST) goto drop; if (tiflags & TH_ACK) ! goto dropwithreset; if ((tiflags & TH_SYN) == 0) goto drop; if ((ti->ti_dport == ti->ti_sport) && --- 676,682 ---- if (tiflags & TH_RST) goto drop; if (tiflags & TH_ACK) ! goto maybedropwithreset; if ((tiflags & TH_SYN) == 0) goto drop; if ((ti->ti_dport == ti->ti_sport) && *************** *** 688,693 **** --- 688,694 ---- * packet with M_BCAST not set. */ if (m->m_flags & (M_BCAST|M_MCAST) || + IN_MULTICAST(ntohl(ti->ti_src.s_addr)) || IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) goto drop; MALLOC(sin, struct sockaddr_in *, sizeof *sin, M_SONAME, *************** *** 809,815 **** if ((tiflags & TH_ACK) && (SEQ_LEQ(ti->ti_ack, tp->snd_una) || SEQ_GT(ti->ti_ack, tp->snd_max))) ! goto dropwithreset; break; /* --- 810,816 ---- if ((tiflags & TH_ACK) && (SEQ_LEQ(ti->ti_ack, tp->snd_una) || SEQ_GT(ti->ti_ack, tp->snd_max))) ! goto maybedropwithreset; break; /* *************** *** 1776,1782 **** if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && (SEQ_GT(tp->snd_una, ti->ti_ack) || SEQ_GT(ti->ti_ack, tp->snd_max)) ) ! goto dropwithreset; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); --- 1777,1783 ---- if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && (SEQ_GT(tp->snd_una, ti->ti_ack) || SEQ_GT(ti->ti_ack, tp->snd_max)) ) ! goto maybedropwithreset; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); *************** *** 1786,1791 **** --- 1787,1802 ---- (void) tcp_output(tp); return; + /* + * Conditionally drop with reset or just drop depending on whether + * we think we are under attack or not. + */ + maybedropwithreset: + #ifdef ICMP_BANDLIM + if (badport_bandlim(1) < 0) + goto drop; + #endif + /* fall through */ dropwithreset: #ifdef TCP_RESTRICT_RST if (restrict_rst) *************** *** 1796,1802 **** * Make ACK acceptable to originator of segment. * Don't bother to respond if destination was broadcast/multicast. */ ! if ((tiflags & TH_RST) || m->m_flags & (M_BCAST|M_MCAST) || IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) goto drop; #ifdef TCPDEBUG --- 1807,1815 ---- * Make ACK acceptable to originator of segment. * Don't bother to respond if destination was broadcast/multicast. */ ! if ((tiflags & TH_RST) || ! m->m_flags & (M_BCAST|M_MCAST) || ! IN_MULTICAST(ntohl(ti->ti_src.s_addr)) || IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) goto drop; #ifdef TCPDEBUG --------------CA0431C31B6036E0255056E7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message