Date: Tue, 1 Sep 1998 14:59:23 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: Don.Lewis@tsc.tdk.com (Don Lewis) Cc: security@FreeBSD.ORG Subject: Re: FreeBSD's RST validation Message-ID: <199809010500.WAA18524@hub.freebsd.org> In-Reply-To: <199808312156.OAA28434@salsa.gv.tsc.tdk.com> from "Don Lewis" at Aug 31, 98 02:56:55 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Sigh, the correct patch is in the mail archives somewhere (either hackers or
here). Just do the same as what NetBSD did.
Darren
In some mail from Bruce A. Mah, sie said:
>
> If memory serves me right, Don Lewis wrote:
>
> > Back in December 1997, I posted the following patch for the LAND attack
> > and also implemented stricter RST validation. The variation of the
> > LAND fix in the first two chunks of this patch was implemented (you'll
> > have to look carefully at the code to find the second chunk), but I don't
> > believe the rest of the fixes in this patch were applied.
> >
> > I've been running a version of this patch altered for 2.1.x since December
> > without problems. If you remove the first two chunks of this patch, it
> > will apply cleanly to the 2.2-stable version of tcp_input.c, though I have
> > no idea if it will work ...
>
> [snip]
>
> Personally, I had something a little less radical in mind. Here's some
> context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to
> security-officer@freebsd.org last night after some quick testing.
>
> Now someone can tell me why this isn't the right solution. :-)
>
> Bruce.
>
> -----8<-----snip-----8<-----
>
> *** tcp_input.c-dist Mon May 18 10:12:44 1998
> --- tcp_input.c Sun Aug 30 21:22:32 1998
> ***************
> *** 809,815 ****
> goto dropwithreset;
> }
> if (tiflags & TH_RST) {
> ! if (tiflags & TH_ACK)
> tp = tcp_drop(tp, ECONNREFUSED);
> goto drop;
> }
> --- 809,818 ----
> goto dropwithreset;
> }
> if (tiflags & TH_RST) {
> ! if ((tiflags & TH_ACK) &&
> ! /* XXX outside window? XXX */
> ! (SEQ_GT(ti->ti_ack, tp->iss) &&
> ! SEQ_LEQ(ti->ti_ack, tp->snd_max)))
> tp = tcp_drop(tp, ECONNREFUSED);
> goto drop;
> }
> ***************
> *** 1147,1152 ****
> --- 1150,1159 ----
> case TCPS_FIN_WAIT_1:
> case TCPS_FIN_WAIT_2:
> case TCPS_CLOSE_WAIT:
> + /* XXX outside window? XXX */
> + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) ||
> + SEQ_LT(ti->ti_seq, tp->rcv_nxt))
> + goto drop;
> so->so_error = ECONNRESET;
> close:
> tp->t_state = TCPS_CLOSED;
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809010500.WAA18524>