From owner-freebsd-net  Mon Jun  1 11:37:58 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA01277
          for freebsd-net-outgoing; Mon, 1 Jun 1998 11:37:58 -0700 (PDT)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from jlf0.jlf.es (h028189.nexo.es [195.235.28.189])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA01220
          for <freebsd-net@FreeBSD.ORG>; Mon, 1 Jun 1998 11:37:36 -0700 (PDT)
          (envelope-from jlfreniche@acm.org)
Received: from acm.org (localhost.jlf.es [127.0.0.1])
	by jlf0.jlf.es (8.8.8/8.8.8) with ESMTP id UAA00229
	for <freebsd-net@FreeBSD.ORG>; Mon, 1 Jun 1998 20:38:13 +0200 (CEST)
	(envelope-from jlfreniche@acm.org)
Message-ID: <3572F515.F85A651@acm.org>
Date: Mon, 01 Jun 1998 20:38:13 +0200
From: "Juan L. Freniche" <jlfreniche@acm.org>
X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386)
MIME-Version: 1.0
To: FreeBSD NET <freebsd-net@FreeBSD.ORG>
Subject: Questions again on T/TCP
References: <3560B324.EE6EA57B@acm.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I sent sometime ago the following message to this list, but nobody
responded. Please, can anybody have a look and respond?

Message repeated:
 
This morning a FreeBSD security advise was corrected in the FreeBSD
announce mail list, regarding a hole in the T/TCP implementation.
It can be retrieve from
 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:03/
 
The following modification to /usr/src/sys/netinet/tcp_input.c
was recommended:
 
@@ -680,7 +680,9 @@
             * - otherwise do a normal 3-way handshake.
             */
             if ((to.to_flag & TOF_CC) != 0) {
-                if (taop->tao_cc != 0 && CC_GT(to.to_cc,
taop->tao_cc)){
+                if (((tp->t_flags & TF_NOPUSH) != 0) &&
+                    taop->tao_cc != 0 && CC_GT(to.to_cc,
taop->tao_cc)){
+                       
                        taop->tao_cc = to.to_cc;
                        tp->t_state = TCPS_ESTABLISHED;


I don't understand completely the proposed solution:
 
Remember that the state is Listen and TF_NOPUSH was set (see the code
below
the label findpcb in tcp_input.c). A segment is received, it pass if SYN
present and other filters are OK. When reaching the TAO test, the
proposal expand the test with (tp->t_flags & TF_NOPUSH) != 0), which is
always true!
 
Can anybody tell me what I am missing?
 
Second question: in tcp_input.c, when the clone socket is created, the
clone
connection is moved to Listen and TF_NOPUSH is set. However, if you have
a look to the ttcp man page, it is recommended (SERVER SUPPORT, item
list 1) that TCP_NOPUSH be set for the master connection, but this flag
is already set for any clone! Even more, if you reset the flag for the
master connection, it will have no effect in their clones.

By the way, setting the flag for clone connections is not found in the
Stevens book, vol. 3.

--------------------------
E-Mail: jlfreniche@acm.org
--------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message