From owner-freebsd-security  Thu Jan 20 22:28:29 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.xmission.com (mail.xmission.com [198.60.22.22])
	by hub.freebsd.org (Postfix) with ESMTP
	id ACCBD151CD; Thu, 20 Jan 2000 22:28:25 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from [204.68.178.39] (helo=softweyr.com ident=wes)
	by mail.xmission.com with esmtp (Exim 3.03 #3)
	id 12BXYV-0005WF-00; Thu, 20 Jan 2000 23:28:23 -0700
Message-ID: <3887FD8A.379E9B91@softweyr.com>
Date: Thu, 20 Jan 2000 23:32:42 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Brett Glass <brett@lariat.org>
Cc: Darren Reed <avalon@coombs.anu.edu.au>,
	Warner Losh <imp@village.org>,
	jamiE rishaw - master e*tard <jamiE@arpa.com>,
	Tom <tom@uniserve.com>, Mike Tancsa <mike@sentex.net>,
	freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG,
	security-officer@FreeBSD.ORG
Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit?
References: <4.2.2.20000120174826.01882ad0@localhost> <4.2.2.20000120180821.0188d5c0@localhost>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Brett Glass wrote:
> 
> At 06:03 PM 1/20/2000 , Darren Reed wrote:
> 
> >If you're using "flags S keep state" or "flags S/SA keep state",
> >then as far as I'm aware, having read the code, you are safe.
> 
> This might be a workaround. What rule(s) would have to follow it
> to block the ACK?
> 
> >I'm intrigued to know what the bug is.  Reading the code, it is
> >hard to see how you could make a box fall over using it, unless
> >there were some serious problems in how random TCP ACK's were
> >handled.
> 
> My guess is that there's a long code path, or other inefficiency,
> in the way the ACK is handled. Perhaps a linear search for the
> right socket instead of one that's more clevery implemented
> (e.g. search by port, then address, etc.).

I don't think so.  The handling for bare TCP ACKs isn't all that bad, so
I'm not seeing the bug.  Maybe tomorrow, after I've slept a bit.  Tonight
it's just escaping me.

From the report, it's obviously a resource usage problem, where the ACKs
are being queued up or something, but I can't see it tonight.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message