Date: Wed, 30 Apr 2014 04:05:48 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r265125 - in releng: 8.3 8.3/sys/conf 8.3/sys/netinet 8.4 8.4/sys/conf 8.4/sys/netinet 9.1 9.1/sys/conf 9.1/sys/netinet 9.2 9.2/sys/conf 9.2/sys/netinet Message-ID: <201404300405.s3U45mtu014533@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Apr 30 04:05:47 2014 New Revision: 265125 URL: http://svnweb.freebsd.org/changeset/base/265125 Log: Fix TCP reassembly vulnerability. Security: FreeBSD-SA-14:08.tcp Security: CVE-2014-3000 Approved by: so Modified: releng/8.3/UPDATING releng/8.3/sys/conf/newvers.sh releng/8.3/sys/netinet/tcp_reass.c releng/8.4/UPDATING releng/8.4/sys/conf/newvers.sh releng/8.4/sys/netinet/tcp_reass.c releng/9.1/UPDATING releng/9.1/sys/conf/newvers.sh releng/9.1/sys/netinet/tcp_reass.c releng/9.2/UPDATING releng/9.2/sys/conf/newvers.sh releng/9.2/sys/netinet/tcp_reass.c Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.3/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20140430: p16 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p15 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/8.3/sys/conf/newvers.sh ============================================================================== --- releng/8.3/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.3/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.3" -BRANCH="RELEASE-p15" +BRANCH="RELEASE-p16" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.3/sys/netinet/tcp_reass.c ============================================================================== --- releng/8.3/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.3/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.4/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20140430: p9 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p8 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.4/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.4/sys/netinet/tcp_reass.c ============================================================================== --- releng/8.4/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.4/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data Modified: releng/9.1/UPDATING ============================================================================== --- releng/9.1/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.1/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -9,6 +9,10 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140430: p12 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p11 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/9.1/sys/conf/newvers.sh ============================================================================== --- releng/9.1/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.1/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p11" +BRANCH="RELEASE-p12" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.1/sys/netinet/tcp_reass.c ============================================================================== --- releng/9.1/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.1/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data Modified: releng/9.2/UPDATING ============================================================================== --- releng/9.2/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.2/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -11,6 +11,10 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140430: p5 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p4 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/9.2/sys/conf/newvers.sh ============================================================================== --- releng/9.2/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.2/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.2" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.2/sys/netinet/tcp_reass.c ============================================================================== --- releng/9.2/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.2/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -205,7 +205,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -228,7 +228,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -276,7 +276,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404300405.s3U45mtu014533>