From owner-freebsd-stable Tue Apr 30 21: 7:11 2002 Delivered-To: freebsd-stable@freebsd.org Received: from patrocles.silby.com (d149.as9.nwbl0.wi.voyager.net [169.207.133.215]) by hub.freebsd.org (Postfix) with ESMTP id 280E737B400 for ; Tue, 30 Apr 2002 21:07:04 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.3/8.12.3) with ESMTP id g4147UUm033326 for ; Tue, 30 Apr 2002 23:07:30 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.3/8.12.3/Submit) with ESMTP id g4147T4P033323 for ; Tue, 30 Apr 2002 23:07:30 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Tue, 30 Apr 2002 23:07:29 -0500 (CDT) From: Mike Silbersack To: stable@freebsd.org Subject: Heads Up: Accept filters fixed Message-ID: <20020430225620.D32402-200000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1138352283-1020226049=:32402" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1138352283-1020226049=:32402 Content-Type: TEXT/PLAIN; charset=US-ASCII Just a quick note for those of you using accept filters with a 4.4+ kernel using the syncache: Your accept filters are broken, and easily DoSable. The fix (attached) has now been committed to both 5.0 and 4.5, so I recommend doing one of two things if you're using accept filters: 1. Stop using them. 2. Patch or cvsup and rebuild your kernel. Mike "Silby" Silbersack ---------- Forwarded message ---------- Date: Tue, 30 Apr 2002 20:27:35 -0700 (PDT) From: Mike Silbersack To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/kern uipc_socket.c uipc_socket2.c silby 2002/04/30 20:27:35 PDT Modified files: (Branch: RELENG_4) sys/kern uipc_socket.c uipc_socket2.c Log: MFC: Make sure that sockets undergoing accept filtering are aborted in a LRU fashion when the listen queue fills up. Previously, there was no mechanism to kick out old sockets, leading to an easy DoS of daemons using accept filtering. Revision Changes Path 1.116 +1 -2 src/sys/kern/uipc_socket.c 1.87 +7 -1 src/sys/kern/uipc_socket2.c Revision Changes Path 1.68.2.21 +1 -2 src/sys/kern/uipc_socket.c 1.55.2.14 +7 -1 src/sys/kern/uipc_socket2.c --0-1138352283-1020226049=:32402 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="acceptfilterfix2-stable.patch" Content-Transfer-Encoding: BASE64 Content-ID: <20020430230729.O32402@patrocles.silby.com> Content-Description: Content-Disposition: attachment; filename="acceptfilterfix2-stable.patch" ZGlmZiAtdSAtciAvdXNyL3NyYy9zeXMub2xkL2tlcm4vdWlwY19zb2NrZXQu YyAvdXNyL3NyYy9zeXMva2Vybi91aXBjX3NvY2tldC5jDQotLS0gL3Vzci9z cmMvc3lzLm9sZC9rZXJuL3VpcGNfc29ja2V0LmMJVGh1IEFwciAyNSAwMToy NDoyNCAyMDAyDQorKysgL3Vzci9zcmMvc3lzL2tlcm4vdWlwY19zb2NrZXQu YwlUaHUgQXByIDI1IDAxOjI4OjQwIDIwMDINCkBAIC0yNTcsNyArMjU3LDYg QEANCiAJCX0gZWxzZSB7DQogCQkJcGFuaWMoInNvZnJlZTogbm90IHF1ZXVl ZCIpOw0KIAkJfQ0KLQkJaGVhZC0+c29fcWxlbi0tOw0KIAkJc28tPnNvX3N0 YXRlICY9IH5TU19JTkNPTVA7DQogCQlzby0+c29faGVhZCA9IE5VTEw7DQog CX0NCkBAIC0xNjQyLDYgKzE2NDEsNiBAQA0KIHsNCiAJc3RydWN0IHNvY2tl dCAqc28gPSAoc3RydWN0IHNvY2tldCAqKWtuLT5rbl9mcC0+Zl9kYXRhOw0K IA0KLQlrbi0+a25fZGF0YSA9IHNvLT5zb19xbGVuIC0gc28tPnNvX2luY3Fs ZW47DQorCWtuLT5rbl9kYXRhID0gc28tPnNvX3FsZW47DQogCXJldHVybiAo ISBUQUlMUV9FTVBUWSgmc28tPnNvX2NvbXApKTsNCiB9DQpkaWZmIC11IC1y IC91c3Ivc3JjL3N5cy5vbGQva2Vybi91aXBjX3NvY2tldDIuYyAvdXNyL3Ny Yy9zeXMva2Vybi91aXBjX3NvY2tldDIuYw0KLS0tIC91c3Ivc3JjL3N5cy5v bGQva2Vybi91aXBjX3NvY2tldDIuYwlUaHUgQXByIDI1IDAxOjI0OjI0IDIw MDINCisrKyAvdXNyL3NyYy9zeXMva2Vybi91aXBjX3NvY2tldDIuYwlUaHUg QXByIDI1IDE2OjQzOjM3IDIwMDINCkBAIC0xMjMsNiArMTIzLDcgQEANCiAJ CWhlYWQtPnNvX2luY3FsZW4tLTsNCiAJCXNvLT5zb19zdGF0ZSAmPSB+U1Nf SU5DT01QOw0KIAkJVEFJTFFfSU5TRVJUX1RBSUwoJmhlYWQtPnNvX2NvbXAs IHNvLCBzb19saXN0KTsNCisJCWhlYWQtPnNvX3FsZW4rKzsNCiAJCXNvLT5z b19zdGF0ZSB8PSBTU19DT01QOw0KIAkJc29yd2FrZXVwKGhlYWQpOw0KIAkJ d2FrZXVwX29uZSgmaGVhZC0+c29fdGltZW8pOw0KQEAgLTI1MSwxMiArMjUy LDE3IEBADQogCWlmIChjb25uc3RhdHVzKSB7DQogCQlUQUlMUV9JTlNFUlRf VEFJTCgmaGVhZC0+c29fY29tcCwgc28sIHNvX2xpc3QpOw0KIAkJc28tPnNv X3N0YXRlIHw9IFNTX0NPTVA7DQorCQloZWFkLT5zb19xbGVuKys7DQogCX0g ZWxzZSB7DQorCQlpZiAoaGVhZC0+c29faW5jcWxlbiA+PSBoZWFkLT5zb19x bGltaXQpIHsNCisJCQlzdHJ1Y3Qgc29ja2V0ICpzcDsNCisJCQlzcCA9IFRB SUxRX0ZJUlNUKCZoZWFkLT5zb19pbmNvbXApOw0KKwkJCSh2b2lkKSBzb2Fi b3J0KHNwKTsNCisJCX0NCiAJCVRBSUxRX0lOU0VSVF9UQUlMKCZoZWFkLT5z b19pbmNvbXAsIHNvLCBzb19saXN0KTsNCiAJCXNvLT5zb19zdGF0ZSB8PSBT U19JTkNPTVA7DQogCQloZWFkLT5zb19pbmNxbGVuKys7DQogCX0NCi0JaGVh ZC0+c29fcWxlbisrOw0KIAlpZiAoY29ubnN0YXR1cykgew0KIAkJc29yd2Fr ZXVwKGhlYWQpOw0KIAkJd2FrZXVwKChjYWRkcl90KSZoZWFkLT5zb190aW1l byk7DQo= --0-1138352283-1020226049=:32402-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message