From owner-freebsd-security Fri Nov 21 05:01:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA05797 for security-outgoing; Fri, 21 Nov 1997 05:01:15 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA05791 for ; Fri, 21 Nov 1997 05:01:12 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id FAA28278; Fri, 21 Nov 1997 05:00:59 -0800 (PST) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id FAA16152; Fri, 21 Nov 1997 05:00:58 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id FAA14741; Fri, 21 Nov 1997 05:00:57 -0800 (PST) From: Don Lewis Message-Id: <199711211300.FAA14741@salsa.gv.tsc.tdk.com> Date: Fri, 21 Nov 1997 05:00:57 -0800 In-Reply-To: Jim Shankland "Re: new TCP/IP bug in win95 (fwd)" (Nov 20, 2:08pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Jim Shankland , robert@cyrus.watson.org Subject: Re: new TCP/IP bug in win95 (fwd) Cc: security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 20, 2:08pm, Jim Shankland wrote: } Subject: Re: new TCP/IP bug in win95 (fwd) } Interesting. So the TCP stack gets into a lively conversation with } itself, since the source-address and port are the same as the } destination address and port. } } The obvious fix would appear to be to drop such packets in tcp_input.c } when the TCP state is TCPS_LISTEN. I think the proper fix is to move this check that is done in the ACK processing code: case TCPS_SYN_RECEIVED: if (SEQ_GT(tp->snd_una, ti->ti_ack) || SEQ_GT(ti->ti_ack, tp->snd_max)) goto dropwithreset; to a point before the code that trims the data to fit the window (which may do "goto dropafterack;"). The code for the SYN_SENT state does such a check early in the code. Ironically the FreeBSD tcp_input() implementation also used this part of the SYN_SENT code in the SYN_RCVD state, but that was undone because it the RST handling in this same section of code was not appropriate in the SYN_RCVD state. I think something like this (untested) patch should do the trick: --- tcp_input.c.prev Fri Nov 21 04:34:51 1997 +++ tcp_input.c Fri Nov 21 05:00:07 1997 @@ -752,6 +752,17 @@ } /* + * If the state is SYN_RCVD: + * if seg contains an ACK, but not for our SYN,ACK, drop the input. + * Otherwise continue processing + */ + case TCPS_SYN_RECEIVED: + if (SEQ_GT(tp->snd_una, ti->ti_ack) || + SEQ_GT(ti->ti_ack, tp->snd_max)) + goto dropwithreset; + break; /* continue normal processing */ + + /* * If the state is SYN_SENT: * if seg contains an ACK, but not for our SYN, drop the input. * if seg contains a RST, then drop the connection. @@ -1171,9 +1182,7 @@ * send an RST. */ case TCPS_SYN_RECEIVED: - if (SEQ_GT(tp->snd_una, ti->ti_ack) || - SEQ_GT(ti->ti_ack, tp->snd_max)) - goto dropwithreset; + /* ACK validation was done earlier, before window trim */ tcpstat.tcps_connects++; soisconnected(so);