From owner-freebsd-security  Fri Jan 21 15:53:31 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 4F076158ED
	for <security@FreeBSD.ORG>; Fri, 21 Jan 2000 15:53:28 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id PAA14508;
	Fri, 21 Jan 2000 15:50:33 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id PAA51602;
	Fri, 21 Jan 2000 15:50:32 -0800 (PST)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id PAA14888;
	Fri, 21 Jan 2000 15:50:32 -0800 (PST)
Message-Id: <200001212350.PAA14888@salsa.gv.tsc.tdk.com>
From: gdonl@tsc.tdk.com (Don Lewis)
Date: Fri, 21 Jan 2000 15:50:32 -0800
In-Reply-To: Brett Glass <brett@lariat.org>
       "Re: stream.c worst-case kernel paths" (Jan 21,  3:08pm)
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: Brett Glass <brett@lariat.org>,
	Jared Mauch <jared@puck.nether.net>
Subject: Re: stream.c worst-case kernel paths
Cc: Wes Peters <wes@softweyr.com>, TrouBle <trouble@netquick.net>,
	security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jan 21,  3:08pm, Brett Glass wrote:
} Subject: Re: stream.c worst-case kernel paths
} I can see that in icmp.c, there is a test that prevents us from
} sending an ICMP packet to a multicast address. And in tcp_input.c,
} the code near the label "dropwithreset" prevents a RST from being
} sent in response to a packet whose DESTINATION was a multicast
} address. But I don't see anything that stops it from going
} out when the SOURCE was a multicast address. So TCP attempts
} to send a RST to that address (something that should be
} fixed!).

Barf!  If this is the problem, then IPFW should be able to block the
attack.

I'm tempted to move the existing multicast tests up to the top
of tcp_input() and check the source address as well.  I just hate
to add extra code to the main code path, though.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message