From owner-freebsd-security@FreeBSD.ORG Mon Jan 31 22:58:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3ED211065673; Mon, 31 Jan 2011 22:58:32 +0000 (UTC) (envelope-from lstewart@freebsd.org) Received: from lauren.room52.net (lauren.room52.net [210.50.193.198]) by mx1.freebsd.org (Postfix) with ESMTP id F38C88FC12; Mon, 31 Jan 2011 22:58:31 +0000 (UTC) Received: from lawrence1.loshell.room52.net (ppp59-167-184-191.static.internode.on.net [59.167.184.191]) by lauren.room52.net (Postfix) with ESMTPSA id 092D17E84A; Tue, 1 Feb 2011 09:40:20 +1100 (EST) Message-ID: <4D473A53.6000602@freebsd.org> Date: Tue, 01 Feb 2011 09:40:19 +1100 From: Lawrence Stewart User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-AU; rv:1.9.2.13) Gecko/20101214 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Christian Peron References: <4D42D2B2.4030806@tomjudge.com> <201101281209.51046.john@baldwin.cx> <4D42FF0E.9030407@tomjudge.com> <201101281427.19212.jhb@freebsd.org> <20110129003032.GA16316@movsx> In-Reply-To: <20110129003032.GA16316@movsx> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lauren.room52.net X-Mailman-Approved-At: Tue, 01 Feb 2011 00:00:11 +0000 Cc: Tom Judge , freebsd-security@freebsd.org, Bjoern Zeeb , John Baldwin Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2011 22:58:32 -0000 On 01/29/11 11:30, Christian Peron wrote: > On Fri, Jan 28, 2011 at 02:27:18PM -0500, John Baldwin wrote: > [..] >> =================================================================== >> --- tcp_usrreq.c (revision 218018) >> +++ tcp_usrreq.c (working copy) >> @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s >> tp->t_flags |= TF_NOPUSH; >> else { >> tp->t_flags &= ~TF_NOPUSH; >> - error = tcp_output(tp); >> + if (TCPS_HAVEESTABLISHED(tp->t_state)) >> + error = tcp_output(tp); >> } >> INP_WUNLOCK(inp); >> break; > > I was thinking of correcting it the same way.. I might even do something > like: > > else { > if (tp->t_flags & TF_NOPUSH) { > tp->t_flags &= ~TF_NOPUSH; > if (TCPS_HAVEESTABLISHED(tp->t_state)) > error = tcp_output(tp); > } > } > > By default, this mask is not set.. so un-setting it and calling tcp_output() > if it was not already set seems wasteful Apologies for tuning in late, but FWIW I concur and think the above patch is appropriate. Cheers, Lawrence