From owner-freebsd-security Mon Aug 31 22:00:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA18530 for freebsd-security-outgoing; Mon, 31 Aug 1998 22:00:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA18524 for ; Mon, 31 Aug 1998 22:00:51 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809010500.WAA18524@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA085945963; Tue, 1 Sep 1998 14:59:23 +1000 From: Darren Reed Subject: Re: FreeBSD's RST validation To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Tue, 1 Sep 1998 14:59:23 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: <199808312156.OAA28434@salsa.gv.tsc.tdk.com> from "Don Lewis" at Aug 31, 98 02:56:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sigh, the correct patch is in the mail archives somewhere (either hackers or here). Just do the same as what NetBSD did. Darren In some mail from Bruce A. Mah, sie said: > > If memory serves me right, Don Lewis wrote: > > > Back in December 1997, I posted the following patch for the LAND attack > > and also implemented stricter RST validation. The variation of the > > LAND fix in the first two chunks of this patch was implemented (you'll > > have to look carefully at the code to find the second chunk), but I don't > > believe the rest of the fixes in this patch were applied. > > > > I've been running a version of this patch altered for 2.1.x since December > > without problems. If you remove the first two chunks of this patch, it > > will apply cleanly to the 2.2-stable version of tcp_input.c, though I have > > no idea if it will work ... > > [snip] > > Personally, I had something a little less radical in mind. Here's some > context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to > security-officer@freebsd.org last night after some quick testing. > > Now someone can tell me why this isn't the right solution. :-) > > Bruce. > > -----8<-----snip-----8<----- > > *** tcp_input.c-dist Mon May 18 10:12:44 1998 > --- tcp_input.c Sun Aug 30 21:22:32 1998 > *************** > *** 809,815 **** > goto dropwithreset; > } > if (tiflags & TH_RST) { > ! if (tiflags & TH_ACK) > tp = tcp_drop(tp, ECONNREFUSED); > goto drop; > } > --- 809,818 ---- > goto dropwithreset; > } > if (tiflags & TH_RST) { > ! if ((tiflags & TH_ACK) && > ! /* XXX outside window? XXX */ > ! (SEQ_GT(ti->ti_ack, tp->iss) && > ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) > tp = tcp_drop(tp, ECONNREFUSED); > goto drop; > } > *************** > *** 1147,1152 **** > --- 1150,1159 ---- > case TCPS_FIN_WAIT_1: > case TCPS_FIN_WAIT_2: > case TCPS_CLOSE_WAIT: > + /* XXX outside window? XXX */ > + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) || > + SEQ_LT(ti->ti_seq, tp->rcv_nxt)) > + goto drop; > so->so_error = ECONNRESET; > close: > tp->t_state = TCPS_CLOSED; > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message