From owner-freebsd-security  Mon Aug 31 11:56:54 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA09913
          for freebsd-security-outgoing; Mon, 31 Aug 1998 11:56:54 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA09907
          for <security@FreeBSD.ORG>; Mon, 31 Aug 1998 11:56:51 -0700 (PDT)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id LAA25851;
	Mon, 31 Aug 1998 11:55:10 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id LAA26017;
	Mon, 31 Aug 1998 11:55:09 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id LAA28095;
	Mon, 31 Aug 1998 11:55:08 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199808311855.LAA28095@salsa.gv.tsc.tdk.com>
Date: Mon, 31 Aug 1998 11:55:07 -0700
In-Reply-To: bmah@CA.Sandia.GOV (Bruce A. Mah)
       "Re: FreeBSD's RST validation" (Aug 31, 11:24am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: bmah@CA.Sandia.GOV
Subject: Re: FreeBSD's RST validation
Cc: Tristan Horn <tristan+-eyixqg@ETHEREAL.NET>, BUGTRAQ@netspace.org,
        security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Aug 31, 11:24am, Bruce A. Mah wrote:
} Subject: Re: FreeBSD's RST validation
} 
} Personally, I had something a little less radical in mind.  Here's some 
} context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to 
} security-officer@freebsd.org last night after some quick testing.
} 
} Now someone can tell me why this isn't the right solution.  :-)
} 
} Bruce.
} 
} -----8<-----snip-----8<-----
} 
} *** tcp_input.c-dist	Mon May 18 10:12:44 1998
} --- tcp_input.c	Sun Aug 30 21:22:32 1998
} ***************
} *** 809,815 ****
}   				goto dropwithreset;
}   		}
}   		if (tiflags & TH_RST) {
} ! 			if (tiflags & TH_ACK)
}   				tp = tcp_drop(tp, ECONNREFUSED);
}   			goto drop;
}   		}
} --- 809,818 ----
}   				goto dropwithreset;
}   		}
}   		if (tiflags & TH_RST) {
} ! 			if ((tiflags & TH_ACK) &&
} ! 			/* XXX outside window? XXX */
} ! 			    (SEQ_GT(ti->ti_ack, tp->iss) && 
} ! 			     SEQ_LEQ(ti->ti_ack, tp->snd_max)))
}   				tp = tcp_drop(tp, ECONNREFUSED);
}   			goto drop;
}   		}

As more data is sent across the connection, the wider the window for
a spoofed RST opens.  Once you send 2 GB, legitimate RSTs no longer
work.  You should probably be comparing against tp->snd_una instead
of tp->iss.

} ***************
} *** 1147,1152 ****
} --- 1150,1159 ----
}   	case TCPS_FIN_WAIT_1:
}   	case TCPS_FIN_WAIT_2:
}   	case TCPS_CLOSE_WAIT:
} + 		/* XXX outside window? XXX */
} + 		if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) ||
} + 		    SEQ_LT(ti->ti_seq, tp->rcv_nxt))
} + 		    goto drop;
}   		so->so_error = ECONNRESET;
}   	close:
}   		tp->t_state = TCPS_CLOSED;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message