From owner-freebsd-security@FreeBSD.ORG Mon Jan 31 17:43:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5610D106566C for ; Mon, 31 Jan 2011 17:43:32 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from eu1sys200aog116.obsmtp.com (eu1sys200aog116.obsmtp.com [207.126.144.141]) by mx1.freebsd.org (Postfix) with SMTP id 058958FC1B for ; Mon, 31 Jan 2011 17:43:30 +0000 (UTC) Received: from source ([63.174.175.251]) by eu1sys200aob116.postini.com ([207.126.147.11]) with SMTP ID DSNKTUb0wSYzmCDH8TB7mEFGi8iOwYkPAyKH@postini.com; Mon, 31 Jan 2011 17:43:31 UTC Received: from [172.17.10.53] (unknown [172.17.10.53]) by bbbx3.usdmm.com (Postfix) with ESMTP id B97A4FD054; Mon, 31 Jan 2011 17:43:28 +0000 (UTC) Message-ID: <4D46F4A7.8050306@tomjudge.com> Date: Mon, 31 Jan 2011 11:43:03 -0600 From: Tom Judge User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: John Baldwin References: <4D42D2B2.4030806@tomjudge.com> <201101281209.51046.john@baldwin.cx> <4D42FF0E.9030407@tomjudge.com> <201101281427.19212.jhb@freebsd.org> In-Reply-To: <201101281427.19212.jhb@freebsd.org> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Bjoern Zeeb , Lawrence Stewart Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2011 17:43:32 -0000 On 01/28/2011 01:27 PM, John Baldwin wrote: > On Friday, January 28, 2011 12:38:22 pm Tom Judge wrote: >> On 01/28/2011 11:09 AM, John Baldwin wrote: >>> On Friday, January 28, 2011 11:08:37 am Tom Judge wrote: >>>> On 01/28/2011 08:29 AM, Tom Judge wrote: >>>>> >>>>> Has anyone looked at this: >>>>> >>>>> [Full-disclosure] FreeBSD local denial of service - forced reboot >>>>> >>>>> http://lists.grok.org.uk/pipermail/full-disclosure/2011- >>> January/078836.html >>>>> >> >> Hi John, >> >> I can't repeat this with the code you sent. I tried this in a while (1) >> loop and had 4 instances running without issue. > > Humm. That is the only setsockopt for TCP that can trigger a call to > tcp_output(). > Hi John, I have just updated my test box to r218019. Without your patch the issue is still present. With your patch it seems to be fine (It passed 100 iterations of the code in the post). Tom > I have a possible fix I'm just not sure if it is completely correct: > > Index: tcp_usrreq.c > =================================================================== > --- tcp_usrreq.c (revision 218018) > +++ tcp_usrreq.c (working copy) > @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s > tp->t_flags |= TF_NOPUSH; > else { > tp->t_flags &= ~TF_NOPUSH; > - error = tcp_output(tp); > + if (TCPS_HAVEESTABLISHED(tp->t_state)) > + error = tcp_output(tp); > } > INP_WUNLOCK(inp); > break; > -- TJU13-ARIN