From owner-freebsd-security@FreeBSD.ORG Thu May 1 18:42:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E2B7F3CD for ; Thu, 1 May 2014 18:42:12 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C23A21DA9 for ; Thu, 1 May 2014 18:42:12 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id EE86523168; Thu, 1 May 2014 11:42:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1398969732; bh=0HaSV9Y0pF59gR6T9XjV4lwiz68kTO9cBCnrNOtFFgQ=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=bmuooRgEC7vC9PbI/iDKenT2GMpxXPN3KCtXxBCKIwvL6munhn8PXGcr/X7zZTCMg Bvn6imD8DoFo5Yk9KQIIyYx9O1b0gWDl90UOMDsNB2GLpu4m4eDes+HNWK/d/WV1yZ XnUBCxNSCVuOgHDn57duzzopXZ4EeFj151ZIQnBE= Message-ID: <53629582.9010605@delphij.net> Date: Thu, 01 May 2014 11:42:10 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Karl Pielorz , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp References: <201404300435.s3U4ZAw1093717@freefall.freebsd.org> <7A880FB5C3D1DA39692881FE@study64.tdx.co.uk> In-Reply-To: <7A880FB5C3D1DA39692881FE@study64.tdx.co.uk> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 18:42:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/01/14 07:19, Karl Pielorz wrote: > > > --On 30 April 2014 04:35:10 +0000 FreeBSD Security Advisories > wrote: > >> II. Problem Description >> >> FreeBSD may add a reassemble queue entry on the stack into the >> segment list when the reassembly queue reaches its limit. The >> memory from the stack is undefined after the function returns. >> Subsequent iterations of the reassembly function will attempt to >> access this entry. > > Hi, > > Does this require an established TCP session to be present? - i.e. > If you have a host which provides no external TCP sessions (i.e. > replies 'Connection Refused' / drops the initial SYN) would that > still be potentially exploitable? No. An established TCP session is required. > What about boxes used as routers - that just forward the traffic > (and again, offer no TCP services directly themselves)? Routers themselves are not affected assuming that they merely forwards the traffic. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTYpWCAAoJEJW2GBstM+nsSMYQAJqAv/LFJx8dJ7KEAoVWS2k2 MGt4pPE4yB49C2YWOdsq4qFAl77aAsOeLiO5aKrceqVpe4UOQjXjH3t7yPCTIVh7 CH28ujJgVNYsxcxaaB4puHPEzmtjzovjHbpH2WcNky7+ICjL/cjHWWRdTQ4h80i9 c4vRJOQGkkbRkLBtGyRFLa1NQ+KNYyANWo9bH60RUqm+sBr1VJFGeuxr16CDrPSp 9doTPjwf8NvOtX/BQaWJWFMoGiaVMrRvk6Cx8S4ScBdfiD/v/i/vHYNuVfy85Mbb TJA1ozRk6kI3iHf9Spx5GC4FX1yjzU8m4BFW8n/wqVG+AaeGO4VFFrdo7g1iKqzY bKWWIfBgRT9GlqJoY2DUvHRWKYugJnAWCAgreqJuYPCwo2H3SobwR4Pg9KQcCcUk aeEdLGgUiorxL3uChepXlQ01NgV4s66Czrmiu/8Bw+s8MQzjCNoonxW6+XQXE2g6 fnvPnV4l6RFLzxNwsoIzf/sHYHqtNRq5IAEX3C5BbJ7uDsbeJYTdI5eh1jwIUlCp 8tvFdlbgZOoiPHmIEa4ltorS7fR5rSFLCHekyTFddFuIbosarmZ3psf3tBr35EGE T3R4VYImwz1+Ae/80DsY0XlIMsPKdb4HQKVoGYq55ZOwk+r0ll9EQe9dsO1ZeY+f EcNdqzkX/YVrK7vgxD7h =WHGC -----END PGP SIGNATURE-----