Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Jan 2011 11:43:03 -0600
From:      Tom Judge <tom@tomjudge.com>
To:        John Baldwin <jhb@freebsd.org>
Cc:        freebsd-security@freebsd.org, Bjoern Zeeb <bz@freebsd.org>, Lawrence Stewart <lstewart@freebsd.org>
Subject:   Re: Recent full disclosure post - Local DOS
Message-ID:  <4D46F4A7.8050306@tomjudge.com>
In-Reply-To: <201101281427.19212.jhb@freebsd.org>
References:  <4D42D2B2.4030806@tomjudge.com> <201101281209.51046.john@baldwin.cx> <4D42FF0E.9030407@tomjudge.com> <201101281427.19212.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 01/28/2011 01:27 PM, John Baldwin wrote:
> On Friday, January 28, 2011 12:38:22 pm Tom Judge wrote:
>> On 01/28/2011 11:09 AM, John Baldwin wrote:
>>> On Friday, January 28, 2011 11:08:37 am Tom Judge wrote:
>>>> On 01/28/2011 08:29 AM, Tom Judge wrote:
>>>>>
>>>>> Has anyone looked at this:
>>>>>
>>>>> [Full-disclosure] FreeBSD local denial of service - forced reboot
>>>>>
>>>>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-
>>> January/078836.html
>>>>>
<SNIP>
>>
>> Hi John,
>>
>> I can't repeat this with the code you sent.  I tried this in a while (1)
>> loop and had 4 instances running without issue.
> 
> Humm.  That is the only setsockopt for TCP that can trigger a call to 
> tcp_output().
> 

Hi John,

I have just updated my test box to r218019.

Without your patch the issue is still present.

With your patch it seems to be fine (It passed 100 iterations of the
code in the post).

Tom


> I have a possible fix I'm just not sure if it is completely correct:
> 
> Index: tcp_usrreq.c
> ===================================================================
> --- tcp_usrreq.c	(revision 218018)
> +++ tcp_usrreq.c	(working copy)
> @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s
>  				tp->t_flags |= TF_NOPUSH;
>  			else {
>  				tp->t_flags &= ~TF_NOPUSH;
> -				error = tcp_output(tp);
> +				if (TCPS_HAVEESTABLISHED(tp->t_state))
> +					error = tcp_output(tp);
>  			}
>  			INP_WUNLOCK(inp);
>  			break;
> 


-- 
TJU13-ARIN

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D46F4A7.8050306>