From owner-freebsd-security  Thu Sep  3 15:03:23 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA01427
          for freebsd-security-outgoing; Thu, 3 Sep 1998 15:03:23 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01418
          for <security@freebsd.org>; Thu, 3 Sep 1998 15:03:21 -0700 (PDT)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id PAA18990;
	Thu, 3 Sep 1998 15:02:09 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id PAA06922;
	Thu, 3 Sep 1998 15:02:08 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id PAA05032;
	Thu, 3 Sep 1998 15:02:06 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199809032202.PAA05032@salsa.gv.tsc.tdk.com>
Date: Thu, 3 Sep 1998 15:02:06 -0700
In-Reply-To: "Bruce A. Mah" <bmah@CA.Sandia.GOV>
       "Re: FreeBSD's RST validation" (Aug 31,  7:58pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: bmah@CA.Sandia.GOV, BUGTRAQ@netspace.org
Subject: Re: FreeBSD's RST validation
Cc: security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Aug 31,  7:58pm, "Bruce A. Mah" wrote:
} Subject: Re: FreeBSD's RST validation
} If memory serves me right, Don Lewis wrote:
} 
} > Now that I look at this change some more, I think your added tests are
} > a NOP because of the code just above this:
} >
} >               if ((tiflags & TH_ACK) &&
} >                     (SEQ_LEQ(ti->ti_ack, tp->iss) ||
} >                      SEQ_GT(ti->ti_ack, tp->snd_max))) {
} >                       [ snip comment ]
} >                         if (taop->tao_ccsent != 0)
} >                                 goto drop;
} >                         else
} >                                 goto dropwithreset;
} >
} > If the ACK is outside the window, the packet will already have been
} > dropped before we even look for the RST flag.
} 
} Ah, yes.  You're absolutely right.  So it appears only the second of the
} original patches is useful (if it's correct, that is).

Alas, the second part won't work either.  The reason is that earlier in
tcp_input() the code that trims the packet to fit the window adjusts
the sequence number.

	todrop = tp->rcv_nxt - ti->ti_seq;
	if (todrop > 0) {
		[snip]
		m_adj(m, todrop);
		ti->ti_seq += todrop;
		ti->ti_len -= todrop;
		[snip]
	}

so if the sequence number is less than rcv_nxt, it will always be set to
rcv_nxt by the time this code gets through with it.

***************
*** 1147,1152 ****
--- 1150,1159 ----
  	case TCPS_FIN_WAIT_1:
  	case TCPS_FIN_WAIT_2:
  	case TCPS_CLOSE_WAIT:
+ 		/* XXX outside window? XXX */
+ 		if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) ||
+ 		    SEQ_LT(ti->ti_seq, tp->rcv_nxt))
+ 			goto drop;
  		so->so_error = ECONNRESET;
  	close:
  		tp->t_state = TCPS_CLOSED;

It appears that the RST sequence validation must be done before the packet
is trimmed to fit the window (which my patch does).


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message