Date: Fri, 21 Nov 2008 19:56:26 +0100 From: Hartmut Brandt <hartmut.brandt@dlr.de> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org, bz@freebsd.org, Harti Brandt <harti@freebsd.org>, Rui Paulo <rpaulo@freebsd.org> Subject: Re: TCP and syncache question Message-ID: <4927045A.8020805@dlr.de> In-Reply-To: <49255D5B.5040303@freebsd.org> References: <491F2C47.4050500@dlr.de> <0A4BB2F1-AC9F-4316-94E3-790E2D80F651@freebsd.org> <49201859.2080605@dlr.de> <4921B3C6.5020002@freebsd.org> <4921F2CD.503@freebsd.org> <20081119234543.A90462@beagle.kn.op.dlr.de> <49255D5B.5040303@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Andre Oppermann wrote: > Harti Brandt wrote: >> Hi Andre, >> >> On Mon, 17 Nov 2008, Andre Oppermann wrote: >> >> AO>This is a bit more complicated because of interactions with >> tcp_input() >> AO>where syncache_expand() is called from. >> AO> >> AO>The old code (as of December 2002) behaved slightly different. It >> would >> AO>not remove the syncache entry when (SND.UNA == SEG.ACK) but send a >> RST. >> AO>The (RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND) test wasn't >> done at >> AO>all. Instead a socket was opened whenever (SND.UNA == SEG.ACK) >> succeeded. >> AO>This gave way to the "LAND" DoS attack which was mostly fixed with >> a test >> AO>for (RCV.IRS < SEG.SEQ). >> AO> >> AO>See the attached patch for fixed version of syncache_expand(). >> This patch >> AO>is untested though. My development machine is currently down. >> Harti, Rui >> AO>and Bjoern, please have a look at the patch and review it. >> >> Some small problems: > ... >> Need another cast here: *lsop = (struct socket *)1. > > Changed the logic to use a NULL *lsop to differentiate in tcp_input(). > Much simpler. Turns out there is a bug in the patch: after the call to syncache_lookup() at test sc == NULL is made and if sc == NULL and may goto sendrst: sendrst: if (sc != &scs) syncache_free(sc); Here syncache_free panics because of the NULL passed to it. I suppose both gotos under the if() should go to sendrstkeep instead. harti
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4927045A.8020805>