From owner-freebsd-security Fri Jan 21 17: 5:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id A4BBE1501C for ; Fri, 21 Jan 2000 17:05:35 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.9.3) id UAA07693; Fri, 21 Jan 2000 20:05:07 -0500 (envelope-from jared) Date: Fri, 21 Jan 2000 20:05:07 -0500 From: Jared Mauch To: Brett Glass Cc: Don Lewis , Jared Mauch , Wes Peters , TrouBle , security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <20000121200507.D4055@puck.nether.net> Mail-Followup-To: Brett Glass , Don Lewis , Wes Peters , TrouBle , security@FreeBSD.ORG References: <200001212350.PAA14888@salsa.gv.tsc.tdk.com> <4.2.2.20000121170250.01986ea0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.2.2.20000121170250.01986ea0@localhost>; from brett@lariat.org on Fri, Jan 21, 2000 at 05:44:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 21, 2000 at 05:44:48PM -0700, Brett Glass wrote: > At 04:50 PM 1/21/2000 , Don Lewis wrote: > > >I'm tempted to move the existing multicast tests up to the top > >of tcp_input() and check the source address as well. I just hate > >to add extra code to the main code path, though. > > Checking the source address early would not hurt, since > it seems to be done so much anyway. Go to the /sys/netinet > directory and do a "grep IN_MULTICAST *" to see what I > mean! > > In fact, the number of scattered tests makes a strong argument > for doing this check lower down in the stack and setting > a flag. It might also prevent other problems if multicast > packets were intercepted before they were ever passed to > non-multicast protocols. I'd hate to see an attack based > on, for example, sending ICMP packets to or from a multicast > source address (shudder). IMHO this should be available, but restricted as it is a brodcast (multicast) ping, not just a ping against a host. I may want to ping 224.0.0.5 and if I'm running gated on a freebsd box, I want it to respond. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message