Date: Wed, 26 Jan 2000 15:04:07 -0700 From: Wes Peters <wes@softweyr.com> To: Warner Losh <imp@village.org>, geniusj <geniusj@cmgsccc.com>, security@freebsd.org Subject: Re: Merged patches Message-ID: <388F6F57.9F7E52E@softweyr.com> References: <Pine.BSF.4.21.0001251713310.61006-100000@cmgsccc.com> <200001251726.KAA04563@harmony.village.org> <388E1C3F.B2056E81@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------CA0431C31B6036E0255056E7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Wes Peters wrote:
>
> Warner Losh wrote:
> >
> > In message <Pine.BSF.4.21.0001251713310.61006-100000@cmgsccc.com> geniusj writes:
> > : This patch does not seem to apply, using 3.4-STABLE branch did patch <
> > : kern.patch from /sys, it applies, but many hunks failed.. Will this be the
> > : official patch? You were the one working on it, no? :)
> >
> > This patch is for -current only. If a different one is needed for
> > stable, we'll deal with that then. We're 3 days from code freeze, and
> > I want to get something good into 4.0 to help limit the damage here.
>
> I'm importing this patch to a -STABLE machine now. Hold your horses, I
> should be ready to post it in another hour or two. It's already running
> on my laptop, but I want to make sure it applies cleanly against the
> most up-to-date -STABLE I can get from cvsup8, to avoid complaints.
OK, here's the diff, from -STABLE as of late yesterday evening. Anyone
following this thread running -CURRENT or any other late model 3.X please
test this and report any problems to me. A good eyeballing by others wouldn't
hurt either.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
--------------CA0431C31B6036E0255056E7
Content-Type: text/plain; charset=us-ascii;
name="tcp_input.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="tcp_input.patch"
*** tcp_input.c.orig Thu Oct 14 05:49:38 1999
--- tcp_input.c Tue Jan 25 22:40:29 2000
***************
*** 432,438 ****
}
tp = intotcpcb(inp);
if (tp == 0)
! goto dropwithreset;
if (tp->t_state == TCPS_CLOSED)
goto drop;
--- 432,438 ----
}
tp = intotcpcb(inp);
if (tp == 0)
! goto maybedropwithreset;
if (tp->t_state == TCPS_CLOSED)
goto drop;
***************
*** 460,466 ****
*/
if (tiflags & TH_ACK) {
tcpstat.tcps_badsyn++;
! goto dropwithreset;
}
goto drop;
}
--- 460,466 ----
*/
if (tiflags & TH_ACK) {
tcpstat.tcps_badsyn++;
! goto maybedropwithreset;
}
goto drop;
}
***************
*** 676,682 ****
if (tiflags & TH_RST)
goto drop;
if (tiflags & TH_ACK)
! goto dropwithreset;
if ((tiflags & TH_SYN) == 0)
goto drop;
if ((ti->ti_dport == ti->ti_sport) &&
--- 676,682 ----
if (tiflags & TH_RST)
goto drop;
if (tiflags & TH_ACK)
! goto maybedropwithreset;
if ((tiflags & TH_SYN) == 0)
goto drop;
if ((ti->ti_dport == ti->ti_sport) &&
***************
*** 688,693 ****
--- 688,694 ----
* packet with M_BCAST not set.
*/
if (m->m_flags & (M_BCAST|M_MCAST) ||
+ IN_MULTICAST(ntohl(ti->ti_src.s_addr)) ||
IN_MULTICAST(ntohl(ti->ti_dst.s_addr)))
goto drop;
MALLOC(sin, struct sockaddr_in *, sizeof *sin, M_SONAME,
***************
*** 809,815 ****
if ((tiflags & TH_ACK) &&
(SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
SEQ_GT(ti->ti_ack, tp->snd_max)))
! goto dropwithreset;
break;
/*
--- 810,816 ----
if ((tiflags & TH_ACK) &&
(SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
SEQ_GT(ti->ti_ack, tp->snd_max)))
! goto maybedropwithreset;
break;
/*
***************
*** 1776,1782 ****
if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) &&
(SEQ_GT(tp->snd_una, ti->ti_ack) ||
SEQ_GT(ti->ti_ack, tp->snd_max)) )
! goto dropwithreset;
#ifdef TCPDEBUG
if (so->so_options & SO_DEBUG)
tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0);
--- 1777,1783 ----
if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) &&
(SEQ_GT(tp->snd_una, ti->ti_ack) ||
SEQ_GT(ti->ti_ack, tp->snd_max)) )
! goto maybedropwithreset;
#ifdef TCPDEBUG
if (so->so_options & SO_DEBUG)
tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0);
***************
*** 1786,1791 ****
--- 1787,1802 ----
(void) tcp_output(tp);
return;
+ /*
+ * Conditionally drop with reset or just drop depending on whether
+ * we think we are under attack or not.
+ */
+ maybedropwithreset:
+ #ifdef ICMP_BANDLIM
+ if (badport_bandlim(1) < 0)
+ goto drop;
+ #endif
+ /* fall through */
dropwithreset:
#ifdef TCP_RESTRICT_RST
if (restrict_rst)
***************
*** 1796,1802 ****
* Make ACK acceptable to originator of segment.
* Don't bother to respond if destination was broadcast/multicast.
*/
! if ((tiflags & TH_RST) || m->m_flags & (M_BCAST|M_MCAST) ||
IN_MULTICAST(ntohl(ti->ti_dst.s_addr)))
goto drop;
#ifdef TCPDEBUG
--- 1807,1815 ----
* Make ACK acceptable to originator of segment.
* Don't bother to respond if destination was broadcast/multicast.
*/
! if ((tiflags & TH_RST) ||
! m->m_flags & (M_BCAST|M_MCAST) ||
! IN_MULTICAST(ntohl(ti->ti_src.s_addr)) ||
IN_MULTICAST(ntohl(ti->ti_dst.s_addr)))
goto drop;
#ifdef TCPDEBUG
--------------CA0431C31B6036E0255056E7--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?388F6F57.9F7E52E>