From owner-freebsd-security  Fri Jan 21 16:46: 5 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id E008615662
	for <security@FreeBSD.ORG>; Fri, 21 Jan 2000 16:46:02 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA26604;
	Fri, 21 Jan 2000 17:45:40 -0700 (MST)
Message-Id: <4.2.2.20000121170250.01986ea0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Fri, 21 Jan 2000 17:44:48 -0700
To: gdonl@tsc.tdk.com (Don Lewis),
	Jared Mauch <jared@puck.nether.net>
From: Brett Glass <brett@lariat.org>
Subject: Re: stream.c worst-case kernel paths
Cc: Wes Peters <wes@softweyr.com>, TrouBle <trouble@netquick.net>,
	security@FreeBSD.ORG
In-Reply-To: <200001212350.PAA14888@salsa.gv.tsc.tdk.com>
References: <Brett Glass <brett@lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 04:50 PM 1/21/2000 , Don Lewis wrote:

>I'm tempted to move the existing multicast tests up to the top
>of tcp_input() and check the source address as well.  I just hate
>to add extra code to the main code path, though.

Checking the source address early would not hurt, since 
it seems to be done so much anyway. Go to the /sys/netinet
directory and do a "grep IN_MULTICAST *" to see what I
mean!

In fact, the number of scattered tests makes a strong argument 
for doing this check lower down in the stack and setting
a flag. It might also prevent other problems if multicast
packets were intercepted before they were ever passed to
non-multicast protocols. I'd hate to see an attack based 
on, for example, sending ICMP packets to or from a multicast 
source address (shudder).

Perhaps we should set a flag in m_flags, as (if I'm 
reading the code correctly) is done for the destination 
address almost as soon as the packet arrives. There 
seem to be bits available (see /sys/sys/mbuf.h).
(By the way, some of the bits in m_flags aren't documented
in mbuf.h. I just noticed that /sys/net/if_ppp.c defines
two.)

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message