From owner-freebsd-security Mon Jun 2 15:38:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA17330 for security-outgoing; Mon, 2 Jun 1997 15:38:36 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id PAA17322 for ; Mon, 2 Jun 1997 15:38:30 -0700 (PDT) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id IAA29632 for security@freebsd.org; Tue, 3 Jun 1997 08:38:23 +1000 From: Darren Reed Message-Id: <199706022238.IAA29632@plum.cyber.com.au> Subject: Re: TCP RST Handling in 2.2 (fwd) To: security@freebsd.org Date: Tue, 3 Jun 1997 08:38:23 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Bakul Shah forwarded to me the relevant part of the RFC. I think there is some missing code. [...] > Reset Processing > > All reset (RST) segments are validated by checking their SEQ-fields. > A reset is valid if its sequence number is in the window. In the case > of a RST received in response to an initial SYN any sequence number is > acceptable if the ACK field acknowledges the SYN. > > The receiver of a RST first validates it, then changes state. If the > receiver was in the LISTEN state, it ignores it. If the receiver was > in SYN-RECEIVED state and had previously been in the LISTEN state, > then the receiver returns to the LISTEN state, otherwise the receiver > aborts the connection and goes to the CLOSED state. If the receiver > was in any other state, it aborts the connection and advises the user > and goes to the CLOSED state. [...] Currently, not even the SEQ number is verified (for an RST packet) - i.e. that the ACK does acknowledge the SYN. I think there is room for improvement in the code. Comments ? Darren p.s. I've brought this up because of people's experience with IP Filter which currently won't allow any TCP packets through if they are outside either window (when "keep state" is used). A case has been presented where the RST being sent back has a 0 ACK field by a non-zero SEQ field.