Date: Wed, 30 Apr 2014 04:02:57 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r265121 - head/sys/netinet Message-ID: <201404300402.s3U42vR3013921@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Apr 30 04:02:57 2014 New Revision: 265121 URL: http://svnweb.freebsd.org/changeset/base/265121 Log: Fix TCP reassembly vulnerability. Patch done by: glebius Security: FreeBSD-SA-14:08.tcp Security: CVE-2014-3000 Modified: head/sys/netinet/tcp_reass.c Modified: head/sys/netinet/tcp_reass.c ============================================================================== --- head/sys/netinet/tcp_reass.c Wed Apr 30 04:02:36 2014 (r265120) +++ head/sys/netinet/tcp_reass.c Wed Apr 30 04:02:57 2014 (r265121) @@ -194,7 +194,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -217,7 +217,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -265,7 +265,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404300402.s3U42vR3013921>