From owner-freebsd-security  Tue Jun  3 04:24:50 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id EAA23222
          for security-outgoing; Tue, 3 Jun 1997 04:24:50 -0700 (PDT)
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id EAA23208
          for <security@freebsd.org>; Tue, 3 Jun 1997 04:24:32 -0700 (PDT)
Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id VAA03044; Tue, 3 Jun 1997 21:23:50 +1000
From: Darren Reed <darrenr@cyber.com.au>
Message-Id: <199706031123.VAA03044@plum.cyber.com.au>
Subject: Re: TCP RST Handling in 2.2 (fwd)
To: dg@root.com
Date: Tue, 3 Jun 1997 21:23:49 +1000 (EST)
Cc: security@freebsd.org
In-Reply-To: <199706031120.EAA06181@implode.root.com> from "David Greenman" at Jun 3, 97 04:20:16 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In some mail I received from David Greenman, sie wrote
> 
> >! 	if (tiflags&TH_RST) {
> >  
> >! 		if ((ti->ti_seq != tp->rcv_nxt) ||
> >! 		    (ti->ti_ack && ((SEQ_LEQ(ti->ti_ack, tp->iss) ||
> >! 		      SEQ_GT(ti->ti_ack, tp->snd_max)))))
> >! 			goto drop;
> 
>    This looks highly bogus to me. What happens if the server crashes and comes
> back up? The code as written above appears to drop all attempts by the server
> to issue an RST...right?

No.  An RST must be issued for a packet that it has received.  These usually
come out of tcp_respond() which uses the original packet (with the SEQ & ACK
numbers).

Or is there a situation which I'm missing here ?

Darren