From owner-freebsd-net  Mon May 18 15:17:32 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA19883
          for freebsd-net-outgoing; Mon, 18 May 1998 15:17:32 -0700 (PDT)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from jlf0.jlf.es (h005065.nexo.es [194.75.5.65])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA19734
          for <freebsd-net@FreeBSD.ORG>; Mon, 18 May 1998 15:16:53 -0700 (PDT)
          (envelope-from jlfreniche@acm.org)
Received: from acm.org (localhost.jlf.es [127.0.0.1])
	by jlf0.jlf.es (8.8.8/8.8.8) with ESMTP id AAA00381
	for <freebsd-net@FreeBSD.ORG>; Tue, 19 May 1998 00:16:05 +0200 (CEST)
	(envelope-from jlfreniche@acm.org)
Message-ID: <3560B324.EE6EA57B@acm.org>
Date: Tue, 19 May 1998 00:16:04 +0200
From: "Juan L. Freniche" <jlfreniche@acm.org>
X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386)
MIME-Version: 1.0
To: FreeBSD NET <freebsd-net@FreeBSD.ORG>
Subject: Questions on FreeBSD Security Advisory: FreeBSD-SA-98:03.ttcp REVISED
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id PAA19784
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This moorning a FreeBSD security advise was corrected in the FreeBSD
anounce mail list, regarding a hole in the T/TCP implementation.
It can be retrieve from 

 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:03/

The following modification to /usr/src/sys/netinet/tcp_input.c
was recommended:

  @@ -680,7 +680,9 @@
                 * - otherwise do a normal 3-way handshake.
                 */
                if ((to.to_flag & TOF_CC) != 0) {
  -                 if (taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) {
  +                 if (((tp->t_flags & TF_NOPUSH) != 0) &&
  +                     taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) {
  +
                        taop->tao_cc = to.to_cc;
                        tp->t_state = TCPS_ESTABLISHED;
 

I don't understand completely the proposed solution:

Remember that the state is Listen and TF_NOPUSH was set (see the code below
the label findpcb in tcp_input.c). A segment is received, it pass if SYN present
and other filters are OK. When reaching the TAO test, the proposal expand the
test with (tp->t_flags & TF_NOPUSH) != 0), which is always true!

Can anybody tell me what I am missing?

Second question: in tcp_input.c, when the clone socket is created, the clone
connection is moved to Listen and TF_NOPUSH is set. However, if you have a look
to
the ttcp man page, it is recommended (SERVER SUPPORT, item list 1) that
TCP_NOPUSH be set for the master connection, but this flag is already set for
any clone! Even more, if you reset the flag for the master connection, it will
have no effect in their clones.

By the way, setting the flag for clone connections is not found in the Stevens
book, vol. 3.

-- 
--------------------------
E-Mail: jlfreniche@acm.org
--------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message