From owner-freebsd-security@FreeBSD.ORG Fri May 20 17:17:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1497A16A4CE for ; Fri, 20 May 2005 17:17:18 +0000 (GMT) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1440343D70 for ; Fri, 20 May 2005 17:17:15 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <428E1B96.3020306@geminix.org> Date: Fri, 20 May 2005 19:17:10 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050519 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tim Traver References: <428E0FD2.3070200@simplenet.com> In-Reply-To: <428E0FD2.3070200@simplenet.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.50 (FreeBSD)) id 1DZB7Y-00041J-4I; Fri, 20 May 2005 19:17:12 +0200 cc: freebsd-security@freebsd.org Subject: Re: Possible PAWS security vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 17:17:18 -0000 Tim Traver wrote: > Hello security gurus, > > yesterday, I mistakenly posted a question on the questions list about > this article : > > http://www.securityfocus.com/bid/13676/info/ > > which talks about a form of DOS vulnerability. > > I was curious as to the possibility of FreeBSD 5.x being affected, and > if anyone was working on this or not. > > Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch : > > in /usr/src/sys/netinet > > *** tcp_input.c.original Thu May 19 11:52:30 2005 > --- tcp_input.c Thu May 19 12:00:14 2005 > *************** > *** 976,984 **** > --- 976,992 ---- > * record the timestamp. > * NOTE that the test is modified according to the latest > * proposal of the tcplw@cray.com list (Braden 1993/04/26). > + * NOTE2 additional check added as a result of PAWS > vulnerability > + * documented in Cisco security notice > cisco-sn-20050518-tcpts > + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch > */ > if ((to.to_flags & TOF_TS) != 0 && > SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { > + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen > + > + ((thflags & (TH_SYN|TH_FIN)) != 0))) > + tp->ts_recent = to.to_tsval; > + else > + tp->ts_recent = 0; > tp->ts_recent_age = ticks; > tp->ts_recent = to.to_tsval; > } I wonder, what good does it do to set 'tp->ts_recent' conditionally if you overwrite it with 'to.to_tsval' two lines later in any case. So far, I'd say this patch looks faulty. Apart from that, why develop your own patch when there is one already in CVS: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h As far as I can tell there are good chances that it even applies flawlessly to RELENG_4. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net