From owner-freebsd-security@FreeBSD.ORG Fri May 2 16:40:33 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9B9BC3E1 for ; Fri, 2 May 2014 16:40:33 +0000 (UTC) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 467C71104 for ; Fri, 2 May 2014 16:40:32 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 409F5B0381DE; Fri, 2 May 2014 12:16:08 -0400 (EDT) Received: from IAD-WPRD-XCHB01.corp.verio.net ([198.87.7.137]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.4675); Fri, 2 May 2014 12:16:07 -0400 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Content-Class: urn:content-classes:message MIME-Version: 1.0 Importance: normal Priority: normal Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Subject: RE: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp Date: Fri, 2 May 2014 12:16:06 -0400 Message-ID: In-Reply-To: <96385.1398973109@server1.tristatelogic.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp thread-index: Ac9ldPiuqSq0J/4lRNij7KucAt/Y5QArJs8Q References: <53629582.9010605@delphij.net> <96385.1398973109@server1.tristatelogic.com> From: "David DeSimone" To: "Ronald F. Guilmette" X-OriginalArrivalTime: 02 May 2014 16:16:07.0878 (UTC) FILETIME=[D31B7660:01CF6621] X-Mailman-Approved-At: Fri, 02 May 2014 17:37:29 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2014 16:40:33 -0000 Are you perhaps confusing IP Fragment Reassembly with the similar but = unrelated TCP Segment Reassembly? My understanding is that TCP stacks normally try very hard not to = generate IP fragments in a TCP stream. It appears that this bug report relates only to TCP Reassembly, and has = nothing to do with IP Fragments. But perhaps I am misreading it? -----Original Message----- From: owner-freebsd-security@freebsd.org = [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Ronald F. = Guilmette Sent: Thursday, May 01, 2014 2:38 PM To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp In message <53629582.9010605@delphij.net>, Xin Li = wrote: >On 05/01/14 07:19, Karl Pielorz wrote: >>=20 >>=20 >> --On 30 April 2014 04:35:10 +0000 FreeBSD Security Advisories=20 >> wrote: >>=20 >>> II. Problem Description >>>=20 >>> FreeBSD may add a reassemble queue entry on the stack into the >>> segment list when the reassembly queue reaches its limit. The >>> memory from the stack is undefined after the function returns. >>> Subsequent iterations of the reassembly function will attempt to >>> access this entry. >>=20 >> Hi, >>=20 >> Does this require an established TCP session to be present? - i.e. >> If you have a host which provides no external TCP sessions (i.e. >> replies 'Connection Refused' / drops the initial SYN) would that >> still be potentially exploitable? > >No. An established TCP session is required. I also have a question.... If one manages a system where (a) all local user accounts are completely and 100% trustworthy and where (b) one has in place ipfw rules which = reject all incoming packet *fragments* on all outward-facing interfaces, then = is this security problem (relating to the reassembly queue) an issue at all for said system? Or is it rather a non-event in such contexts? Regards, rfg _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio Inc. makes no warranty that this email is error or = virus free. Thank you.