From owner-freebsd-security@freebsd.org  Thu Aug 16 12:58:14 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A51AD105878F
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu, 16 Aug 2018 12:58:14 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 57E2680662;
 Thu, 16 Aug 2018 12:58:14 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK))
 (Authenticated sender: kp)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 1E7971D800;
 Thu, 16 Aug 2018 12:58:14 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from [192.168.14.247] (unknown [62.49.66.12])
 (Authenticated sender: kp)
 by venus.codepro.be (Postfix) with ESMTPSA id 75DCE9676;
 Thu, 16 Aug 2018 14:58:10 +0200 (CEST)
From: "Kristof Provost" <kp@FreeBSD.org>
To: "Alexandr Krivulya" <shuriku@shurik.kiev.ua>
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
Date: Thu, 16 Aug 2018 13:58:07 +0100
X-Mailer: MailMate (2.0BETAr6116)
Message-ID: <5BB8F247-B799-4839-9E0E-E331B8EA85DB@FreeBSD.org>
In-Reply-To: <306fd368-1093-ace2-7075-a9c6d2bf6860@shurik.kiev.ua>
References: <20180815054732.9D8C61C2C8@freefall.freebsd.org>
 <306fd368-1093-ace2-7075-a9c6d2bf6860@shurik.kiev.ua>
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 16 Aug 2018 15:04:27 +0000
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.27
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 12:58:14 -0000

On 15 Aug 2018, at 15:25, Alexandr Krivulya wrote:
> Hi, freebsd-security
>
> Can CVE-2018-6922 be addressed by pf's  fragment reassemble and 
> reassemble tcp options or can it potentially lead to memory overflow 
> (set limit frags?) when this options enabled?
>
No. While pf does limit the maximum number of IP fragments it’ll hold 
on to, this number is large enough that it’s still possible to cause 
the it to use excessive amounts of CPU time.

pf does not reassemble tcp segments, so it won’t protect you agains 
that variant of the attack. The good news there is that it is not itself 
vulnerable to it (for the same reason).

I’m looking into limiting the number of fragments per packet to ensure 
there can’t be excessive CPU use, but that’s not ready to be 
committed yet.

—
Kristof