From owner-freebsd-security Thu May 14 21:31:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA03138 for freebsd-security-outgoing; Thu, 14 May 1998 21:31:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uddias.diaspro.com (uddias.diaspro.com [194.84.211.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA03121 for ; Thu, 14 May 1998 21:31:23 -0700 (PDT) (envelope-from vasim@diaspro.com) Received: from localhost (localhost.diaspro.com [127.0.0.1]) by uddias.diaspro.com (8.8.8/8.8.8) with SMTP id KAA18816 for ; Fri, 15 May 1998 10:31:11 +0600 (ESS) (envelope-from vasim@diaspro.com) Date: Fri, 15 May 1998 10:31:11 +0600 (ESS) From: Vasim Valejev To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:03.ttcp In-Reply-To: <199805141958.VAA12382@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi ! On Thu, 14 May 1998, FreeBSD Security Officer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-98:03 Security Advisory > FreeBSD, Inc. > > Topic: Problems with TTCP > [skip] > --- tcp_input.c 1998/04/24 10:08:57 1.74 > +++ tcp_input.c 1998/05/04 17:59:52 1.75 > @@ -680,7 +680,9 @@ > * - otherwise do a normal 3-way handshake. > */ > if ((to.to_flag & TOF_CC) != 0) { > - if (taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) { > + if (tp->t_state & TF_NOPUSH && > + taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) { > + > taop->tao_cc = to.to_cc; > tp->t_state = TCPS_ESTABLISHED; > May be this fix will be better ? Index: tcp_seq.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_seq.h,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 tcp_seq.h *** tcp_seq.h 1997/11/27 05:36:24 1.1.1.1 --- tcp_seq.h 1998/05/15 03:57:46 *************** *** 57,63 **** */ #define CC_LT(a,b) ((int)((a)-(b)) < 0) #define CC_LEQ(a,b) ((int)((a)-(b)) <= 0) ! #define CC_GT(a,b) ((int)((a)-(b)) > 0) #define CC_GEQ(a,b) ((int)((a)-(b)) >= 0) /* Macro to increment a CC: skip 0 which has a special meaning */ --- 57,63 ---- */ #define CC_LT(a,b) ((int)((a)-(b)) < 0) #define CC_LEQ(a,b) ((int)((a)-(b)) <= 0) ! #define CC_GT(a,b) ((int)((a)-(b)) == 1) #define CC_GEQ(a,b) ((int)((a)-(b)) >= 0) /* Macro to increment a CC: skip 0 which has a special meaning */ Index: tcp_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_usrreq.c,v retrieving revision 1.2 diff -c -r1.2 tcp_usrreq.c *** tcp_usrreq.c 1998/01/31 08:51:46 1.2 --- tcp_usrreq.c 1998/05/15 03:56:42 *************** *** 603,616 **** bzero(taop, sizeof(*taop)); } ! tp->cc_send = CC_INC(tcp_ccgen); ! if (taop->tao_ccsent != 0 && ! CC_GEQ(tp->cc_send, taop->tao_ccsent)) { ! taop->tao_ccsent = tp->cc_send; ! } else { ! taop->tao_ccsent = 0; tp->t_flags |= TF_SENDCCNEW; ! } return 0; } --- 603,613 ---- bzero(taop, sizeof(*taop)); } ! if (taop->tao_ccsent == 0) tp->t_flags |= TF_SENDCCNEW; ! tp->cc_send = CC_INC(taop->tao_ccsent); ! if (taop->tao_ccsent == 0) ! taop->tao_ccsent = tp->cc_send; return 0; } After this fix TAO-test algorithm changed and any attempts use rfc-1644's security hole will be rejected . Vasim V. (2:5011/27 http://members.tripod.com/~Vasim VV86-RIPE) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message