From owner-freebsd-security Fri Jan 21 13:49:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id 5F2D11527D for ; Fri, 21 Jan 2000 13:49:08 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.9.3) id QAA04399; Fri, 21 Jan 2000 16:48:56 -0500 (envelope-from jared) Date: Fri, 21 Jan 2000 16:48:56 -0500 From: Jared Mauch To: Brett Glass Cc: Jared Mauch , Wes Peters , TrouBle , security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <20000121164856.A4055@puck.nether.net> Mail-Followup-To: Brett Glass , Wes Peters , TrouBle , security@FreeBSD.ORG References: <4.2.2.20000121140941.01a68b30@localhost> <200001211415.BAA12772@cairo.anu.edu.au> <20000121.16082400@bastille.netquick.net> <3888C7D2.D82BE362@softweyr.com> <4.2.2.20000121140941.01a68b30@localhost> <20000121162059.Y30675@puck.nether.net> <4.2.2.20000121143004.01908960@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.2.2.20000121143004.01908960@localhost>; from brett@lariat.org on Fri, Jan 21, 2000 at 02:35:16PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Packet comes in, and we look at type first I believe. RCV IP PKT -> Determine type enum { tcp udp raw ospf icmp ... } pass off to appropriate stack. udp stack deals with multicast, but if you receive traffic to a multicast address, that you haven't sent an igmp join to, you should drop the packet without looking at it further (Unless you are a multicast router). The TCP stack should discard 224.0.0.0/4 when it comes in if the src or dst are within that range. - Jared On Fri, Jan 21, 2000 at 02:35:16PM -0700, Brett Glass wrote: > That's what I thought. This is really pathological. Why do we allow > ourselves to send a RST to a multicast address, or accept an ACK from > one? Could lower layers of the stack flag the ACK as coming from > a multicast address so that we can nuke it before (or as) it hits > the TCP layer? I can imagine a whole potential family of exploits > involving multicast addresses and TCP. > > --Brett > > At 02:20 PM 1/21/2000 , Jared Mauch wrote: > > > In the multicast world you only send UDP (or other types), you > >do not send tcp packets out, because you can't do a three-way > >handshake. > > > > - jared > > > >On Fri, Jan 21, 2000 at 02:10:23PM -0700, Brett Glass wrote: > > > At 01:55 PM 1/21/2000 , Wes Peters wrote: > > > > > > >Be warned if you're using the exploit program: if you select random > > > >addresses, it may (will) pick multicast IP addresses, which may have > > > >unintended side affects on your network. Augh! > > > > > > Geeze. Is it even LEGAL to ACK multicast packets? > > > > > > --Brett > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > >-- > >Jared Mauch | pgp key available via finger from jared@puck.nether.net > >clue++; | http://puck.nether.net/~jared/ My statements are only mine. > >END OF LINE | -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message