From owner-freebsd-questions  Thu Nov 20 11:17:31 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id LAA27819
          for questions-outgoing; Thu, 20 Nov 1997 11:17:31 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from flea.best.net (root@flea.best.net [206.184.139.131])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA27687;
          Thu, 20 Nov 1997 11:16:16 -0800 (PST)
          (envelope-from dillon@flea.best.net)
Received: (from dillon@localhost) by flea.best.net (8.8.7/8.7.3) id LAA28437; Thu, 20 Nov 1997 11:15:42 -0800 (PST)
Date: Thu, 20 Nov 1997 11:15:42 -0800 (PST)
From: Matt Dillon <dillon@best.net>
Message-Id: <199711201915.LAA28437@flea.best.net>
To: spork <spork@super-g.com>
Cc: GNATS Management <gnats@FreeBSD.ORG>, freebsd-questions@FreeBSD.ORG
Subject: Re: kern/5103: FreeBSD kernel lockup from spoofed TCP packet
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

    This was my quick and dirty hack, but it's unverified whether
    it stops the attack.  It should.

					    -Matt

:
:This is a nasty one, care to share your hack-patch?
:
:Charles Sprickman
:spork@super-g.com


tick:/usr/src/sys/netinet# diff -c LINK/tcp_input.c tcp_input.c
*** LINK/tcp_input.c    Thu Oct 23 14:19:23 1997
--- tcp_input.c Thu Nov 20 03:38:59 1997
***************
*** 315,321 ****
--- 315,329 ----
                tcpstat.tcps_rcvbadsum++;
                goto drop;
        }
+ 
  #endif /* TUBA_INCLUDE */
+       /*
+        * Check that TCP port pair makes sense XXX MATT HACK
+        */
+       if (ti->ti_src.s_addr == ti->ti_dst.s_addr && ti->ti_sport == ti->ti_dport) {
+               tcpstat.tcps_rcvshort++;        /* actually error */
+               goto drop;
+       }
  
        /*
         * Check that TCP offset makes sense,