From owner-freebsd-security  Mon Aug 31 19:59:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA04569
          for freebsd-security-outgoing; Mon, 31 Aug 1998 19:59:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA04564
          for <security@FreeBSD.ORG>; Mon, 31 Aug 1998 19:59:21 -0700 (PDT)
          (envelope-from bmah@stennis.ca.sandia.gov)
Received: (from bmah@localhost)
	by stennis.ca.sandia.gov (8.9.1/8.9.1) id TAA26568;
	Mon, 31 Aug 1998 19:58:16 -0700 (PDT)
Message-Id: <199809010258.TAA26568@stennis.ca.sandia.gov>
X-Mailer: exmh version 2.0.2 2/24/98
To: Don Lewis <Don.Lewis@tsc.tdk.com>
cc: bmah@california.sandia.gov, BUGTRAQ@netspace.org, security@FreeBSD.ORG
Subject: Re: FreeBSD's RST validation 
In-reply-to: Your message of "Mon, 31 Aug 1998 14:56:55 PDT."
             <199808312156.OAA28434@salsa.gv.tsc.tdk.com> 
From: bmah@CA.Sandia.GOV (Bruce A. Mah)
Reply-to: bmah@CA.Sandia.GOV
X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5<Pi&akO)o^8;[r
 %l(8ZHlbF`dD>v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A
 2V%N&+
X-Url: http://www.ca.sandia.gov/~bmah/
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 31 Aug 1998 19:58:16 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

If memory serves me right, Don Lewis wrote:

> Now that I look at this change some more, I think your added tests are
> a NOP because of the code just above this:
> 
> 		if ((tiflags & TH_ACK) &&
>                     (SEQ_LEQ(ti->ti_ack, tp->iss) ||
>                      SEQ_GT(ti->ti_ack, tp->snd_max))) {
> 			[ snip comment ]
>                         if (taop->tao_ccsent != 0)
>                                 goto drop;
>                         else
>                                 goto dropwithreset;
> 
> If the ACK is outside the window, the packet will already have been
> dropped before we even look for the RST flag.

Ah, yes.  You're absolutely right.  So it appears only the second of the 
original patches is useful (if it's correct, that is).

This was a good day for me...I learned something.

Thanks!

Bruce.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message