From owner-freebsd-net Sat Feb 23 4:45:49 2002 Delivered-To: freebsd-net@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id E28EA37B402; Sat, 23 Feb 2002 04:45:41 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g1NCjan54144; Sat, 23 Feb 2002 14:45:36 +0200 (EET) (envelope-from ru) Date: Sat, 23 Feb 2002 14:45:35 +0200 From: Ruslan Ermilov To: "Crist J. Clark" Cc: net@FreeBSD.ORG Subject: Re: TCP Connections to a Broadcast Address Message-ID: <20020223124535.GB52291@sunbay.com> References: <20020222022626.A83807@blossom.cjclark.org> <20020223115033.GB47437@sunbay.com> <20020223042828.E16048@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020223042828.E16048@blossom.cjclark.org> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Feb 23, 2002 at 04:28:28AM -0800, Crist J. Clark wrote: > On Sat, Feb 23, 2002 at 01:50:33PM +0200, Ruslan Ermilov wrote: > [snip] > > > Nice catch! > > Igor M Podlesny , PR misc/35022, caught it. I just > analyzed it. > > [snip] > > > The patch is incomplete (see dropwithreset below). Here's the tcp_input.c > > part of the original delta that introduced this bug: > > I considered what to do for non-SYN segments, but I didn't see a > requirement in the standards (I may have missed it), so I just didn't > touch it. > > > : Script started on Sat Feb 23 13:37:18 2002 > > : $ sccs prs -r7.35 tcp_input.c > > : D 7.35 93/04/07 19:28:08 sklower 159 158 00007/00003/01623 > > : MRs: > > : COMMENTS: > > : Mostly changes recommended by jch for variable subnets & multiple > > : IP addresses per physical interface. May require further work. > > [snip] > > > I think you should just back the CSRG revision 7.35 out of tcp_input.c, > > mentioning what was wrong with removing in_broadcast() check. > > Where'd you pull this out? I'll integrate this version. > > > route add -net 192.168.4 192.168.1.1 > > ping 192.168.4.255 > > > > on a directly attached 192.168.1 network isn't a "malicious use". > > Then I would put that under the "misconfigured" header. The machine > you are pinging from would have to be local to 192.168.4.0/24 also, > why are you routing it through 192.168.1.1? But there may be some > situations that I have not considered where one might wish to do > that. > Um, why? Router B: if0 (192.168.1.1/24) and if1 (192.168.4.1/24) Router A: if0 (192.168.1.2/24) On router A: route add -net 192.168.4 192.168.1.1, telnet 192.168.4.255. Or even simpler: Router: if0 (192.168.1.1/24 and 192.168.100.1/24) Host: if0 (192.168.1.2, default gateway 192.168.1.1) On host: $ ping 192.168.100.255 PING 192.168.100.255 (192.168.100.255): 56 data bytes 64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=0.245 ms 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.207 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.207 ms ^C --- 192.168.100.255 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.207/0.220/0.245/0.018 ms $ telnet 192.168.100.255 25 Trying 192.168.100.255... Connected to 192.168.100.255. Escape character is '^]'. 220 my.router.local.net ESMTP Sendmail 8.11.6/8.11.2; Sat, 23 Feb 2002 14:39:21 +0200 (EET) > Anyway, if there are legit configurations where this rears its head, > it is even worse. > Yes. :-) Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message