From owner-freebsd-security  Tue Jan 25 16:12:21 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 67AF514DD3
	for <security@FreeBSD.ORG>; Tue, 25 Jan 2000 16:11:54 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA06341;
	Tue, 25 Jan 2000 16:11:40 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id QAA75836;
	Tue, 25 Jan 2000 16:11:39 -0800 (PST)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA28012;
	Tue, 25 Jan 2000 16:11:39 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200001260011.QAA28012@salsa.gv.tsc.tdk.com>
Date: Tue, 25 Jan 2000 16:11:39 -0800
In-Reply-To: <200001251934.LAA71614@gndrsh.dnsmgr.net>
References:  <200001251934.LAA71614@gndrsh.dnsmgr.net>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	dillon@apollo.backplane.com (Matthew Dillon)
Subject: Re: Merged patches
Cc: imp@village.org (Warner Losh), security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jan 25, 11:34am, "Rodney W. Grimes" wrote:
} Subject: Re: Merged patches
} >     I found a bug in the patch:
} > 
} > : #endif
} > :-		if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
} > :-			goto drop;
} > :+		if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
} > :+		    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
} > :+		    IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))
} 
} And yet another bugger.... you just made it impossible for anyone
} doing work with the EXPERIMENTAL block at 240.0.0.0/8 on FreeBSD
} using TCP without hacking the kernel code.  Please remove the
} last check here.

How about changing the last part to to
	ip->ip_src.s_addr == htonl(INADDR_BROADCAST)
which is the subset of IN_EXPERIMENTAL that I was concerned about.

Without this, someone will post yet another variant of this attack
using a broadcast source address.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message