From owner-freebsd-net Mon Jun 1 13:42:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA28965 for freebsd-net-outgoing; Mon, 1 Jun 1998 13:42:53 -0700 (PDT) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA28886 for ; Mon, 1 Jun 1998 13:42:32 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id EAA11209; Tue, 2 Jun 1998 04:42:15 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199806012042.EAA11209@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: "Juan L. Freniche" cc: FreeBSD NET Subject: Re: Questions again on T/TCP In-reply-to: Your message of "Mon, 01 Jun 1998 20:38:13 +0200." <3572F515.F85A651@acm.org> Date: Tue, 02 Jun 1998 04:42:15 +0800 From: Peter Wemm Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Juan L. Freniche" wrote: > I sent sometime ago the following message to this list, but nobody > responded. Please, can anybody have a look and respond? > > Message repeated: > > This morning a FreeBSD security advise was corrected in the FreeBSD > announce mail list, regarding a hole in the T/TCP implementation. > It can be retrieve from > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:03/ > > The following modification to /usr/src/sys/netinet/tcp_input.c > was recommended: > > @@ -680,7 +680,9 @@ > * - otherwise do a normal 3-way handshake. > */ > if ((to.to_flag & TOF_CC) != 0) { > - if (taop->tao_cc != 0 && CC_GT(to.to_cc, > taop->tao_cc)){ > + if (((tp->t_flags & TF_NOPUSH) != 0) && > + taop->tao_cc != 0 && CC_GT(to.to_cc, > taop->tao_cc)){ > + > taop->tao_cc = to.to_cc; > tp->t_state = TCPS_ESTABLISHED; > > > I don't understand completely the proposed solution: > > Remember that the state is Listen and TF_NOPUSH was set (see the code > below > the label findpcb in tcp_input.c). A segment is received, it pass if SYN > present and other filters are OK. When reaching the TAO test, the > proposal expand the test with (tp->t_flags & TF_NOPUSH) != 0), which is > always true! TF_NOPUSH is *copied* from the listening socket. It's only present if the listener has explicitly enabled it. tp->t_flags |= tp0->t_flags & (TF_NOPUSH|TF_NOOPT); ie: only copy the TF_NOPUSH and TF_NOOPT flags from the listener to the clone. If they are not set on the master/listener, the clone does not get them. > Can anybody tell me what I am missing? > > Second question: in tcp_input.c, when the clone socket is created, the > clone > connection is moved to Listen and TF_NOPUSH is set. However, if you have > a look to the ttcp man page, it is recommended (SERVER SUPPORT, item > list 1) that TCP_NOPUSH be set for the master connection, but this flag > is already set for any clone! Even more, if you reset the flag for the > master connection, it will have no effect in their clones. See the above, setting TCP_NOPUSH via setsockopt() is what turns on the TF_ NOPUSH on the listener. The names are similar but the two are seperate things. > By the way, setting the flag for clone connections is not found in the > Stevens book, vol. 3. > > -------------------------- > E-Mail: jlfreniche@acm.org > -------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > Cheers, -Peter -- Peter Wemm Netplex Consulting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message