From owner-freebsd-security@FreeBSD.ORG Fri May 20 17:28:28 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC4A516A4CE for ; Fri, 20 May 2005 17:28:28 +0000 (GMT) Received: from mail1.simplenet.com (mailer.simplenet.com [209.132.1.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79DFC43D6D for ; Fri, 20 May 2005 17:28:28 +0000 (GMT) (envelope-from tt-list@simplenet.com) Received: from [209.132.9.116] (209.132.9.116) by mail1.simplenet.com (7.0.016) (authenticated as tt-list@simplenet.com) id 428D995700002B1C; Fri, 20 May 2005 10:28:02 -0700 Message-ID: <428E1D51.8060105@simplenet.com> Date: Fri, 20 May 2005 10:24:33 -0700 From: Tim Traver User-Agent: Mozilla Thunderbird 1.0 - [MOOX M2] (Windows/20041208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Uwe Doering References: <428E0FD2.3070200@simplenet.com> <428E1B96.3020306@geminix.org> In-Reply-To: <428E1B96.3020306@geminix.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Possible PAWS security vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 17:28:29 -0000 Uwe, Thank you. That really answers my original question. As I said, this was not my patch, and I didn't really even ask for one, but Ted created it, and then acted like a jerk to get me to post it to you guys. Sorry to have taken your time. Tim. Uwe Doering wrote: > Tim Traver wrote: > >> Hello security gurus, >> >> yesterday, I mistakenly posted a question on the questions list about >> this article : >> >> http://www.securityfocus.com/bid/13676/info/ >> >> which talks about a form of DOS vulnerability. >> >> I was curious as to the possibility of FreeBSD 5.x being affected, >> and if anyone was working on this or not. >> >> Ted Mittelstaedt posted this possible patch based upon the OpenBSD >> patch : >> >> in /usr/src/sys/netinet >> >> *** tcp_input.c.original Thu May 19 11:52:30 2005 >> --- tcp_input.c Thu May 19 12:00:14 2005 >> *************** >> *** 976,984 **** >> --- 976,992 ---- >> * record the timestamp. >> * NOTE that the test is modified according to the latest >> * proposal of the tcplw@cray.com list (Braden >> 1993/04/26). >> + * NOTE2 additional check added as a result of PAWS >> vulnerability >> + * documented in Cisco security notice >> cisco-sn-20050518-tcpts >> + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch >> */ >> if ((to.to_flags & TOF_TS) != 0 && >> SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { >> + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen >> + >> + ((thflags & (TH_SYN|TH_FIN)) != 0))) >> + tp->ts_recent = to.to_tsval; >> + else >> + tp->ts_recent = 0; >> tp->ts_recent_age = ticks; >> tp->ts_recent = to.to_tsval; >> } > > > I wonder, what good does it do to set 'tp->ts_recent' conditionally if > you overwrite it with 'to.to_tsval' two lines later in any case. So > far, I'd say this patch looks faulty. > > Apart from that, why develop your own patch when there is one already > in CVS: > > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h > > > As far as I can tell there are good chances that it even applies > flawlessly to RELENG_4. > > Uwe