Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 May 2005 19:17:10 +0200
From:      Uwe Doering <gemini@geminix.org>
To:        Tim Traver <tt-list@simplenet.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Possible PAWS security vulnerability
Message-ID:  <428E1B96.3020306@geminix.org>
In-Reply-To: <428E0FD2.3070200@simplenet.com>
References:  <428E0FD2.3070200@simplenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Tim Traver wrote:
> Hello security gurus,
> 
> yesterday, I mistakenly posted a question on the questions list about 
> this article :
> 
> http://www.securityfocus.com/bid/13676/info/
> 
> which talks about a form of DOS vulnerability.
> 
> I was curious as to the possibility of FreeBSD 5.x being affected, and 
> if anyone was working on this or not.
> 
> Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch :
> 
> in /usr/src/sys/netinet
> 
> *** tcp_input.c.original        Thu May 19 11:52:30 2005
> --- tcp_input.c Thu May 19 12:00:14 2005
> ***************
> *** 976,984 ****
> --- 976,992 ----
>                 * record the timestamp.
>                 * NOTE that the test is modified according to the latest
>                 * proposal of the tcplw@cray.com list (Braden 1993/04/26).
> +                * NOTE2 additional check added as a result of PAWS 
> vulnerability
> +                * documented in Cisco security notice 
> cisco-sn-20050518-tcpts
> +                * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
>                 */
>                if ((to.to_flags & TOF_TS) != 0 &&
>                    SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
> +                       if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
> +
> +                               ((thflags & (TH_SYN|TH_FIN)) != 0)))
> +                                 tp->ts_recent = to.to_tsval;
> +                       else
> +                               tp->ts_recent = 0;
>                        tp->ts_recent_age = ticks;
>                        tp->ts_recent = to.to_tsval;
>                }

I wonder, what good does it do to set 'tp->ts_recent' conditionally if 
you overwrite it with 'to.to_tsval' two lines later in any case.  So 
far, I'd say this patch looks faulty.

Apart from that, why develop your own patch when there is one already in 
CVS:

 
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h

As far as I can tell there are good chances that it even applies 
flawlessly to RELENG_4.

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?428E1B96.3020306>