From owner-freebsd-bugs  Thu Nov 20 12:10:12 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id MAA02958
          for bugs-outgoing; Thu, 20 Nov 1997 12:10:12 -0800 (PST)
          (envelope-from owner-freebsd-bugs)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id MAA02925;
          Thu, 20 Nov 1997 12:10:06 -0800 (PST)
          (envelope-from gnats)
Date: Thu, 20 Nov 1997 12:10:06 -0800 (PST)
Message-Id: <199711202010.MAA02925@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Subject: kern/5103: FreeBSD kernel lockup from spoofed TCP packet
Reply-To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR kern/5103; it has been noted by GNATS.

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: freebsd-gnats-submit@freebsd.org
Cc:  Subject: kern/5103: FreeBSD kernel lockup from spoofed TCP packet
Date: Thu, 20 Nov 1997 15:08:52 -0500 (EST)

 <<On Thu, 20 Nov 1997 04:31:21 -0800 (PST), Matt Dillon <dillon@best.net> said:
 
 > 	not sure about this.  I hacked our kernels to discard any packet
 > 	where ti_src.s_addr == ti_dst.s_addr && ti_sport == ti_dport.  I
 > 	am hoping this will prevent the attack from looping the code.
 
 I added this quick hack to tcp_input.c in rev. 1.66, and changed the
 PR's state to `serious'.  There is still an underlying bug, since
 self-connect not only should work, but once did.  The same hack should
 be brought into -stable once it is verified to solve the problem (and
 it certainly should).
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick