From owner-freebsd-security  Fri Nov 21 16:37:47 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id QAA28282
          for security-outgoing; Fri, 21 Nov 1997 16:37:47 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA28269
          for <security@FreeBSD.ORG>; Fri, 21 Nov 1997 16:37:40 -0800 (PST)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
          by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP
	  id QAA07319; Fri, 21 Nov 1997 16:37:20 -0800 (PST)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA27324;
	Fri, 21 Nov 1997 16:37:19 -0800 (PST)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA16107;
	Fri, 21 Nov 1997 16:37:17 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199711220037.QAA16107@salsa.gv.tsc.tdk.com>
Date: Fri, 21 Nov 1997 16:37:17 -0800
In-Reply-To: Don Lewis <Don.Lewis@tsc.tdk.com>
       "Re: new TCP/IP bug in win95 (fwd)" (Nov 21,  5:00am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Don Lewis <Don.Lewis@tsc.tdk.com>, Jim Shankland <jas@flyingfox.com>,
        robert@cyrus.watson.org
Subject: Re: new TCP/IP bug in win95 (fwd)
Cc: security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Nov 21,  5:00am, Don Lewis wrote:
} Subject: Re: new TCP/IP bug in win95 (fwd)
} 
} I think something like this (untested) patch should do the trick:
} 
} --- tcp_input.c.prev	Fri Nov 21 04:34:51 1997
} +++ tcp_input.c	Fri Nov 21 05:00:07 1997
} @@ -752,6 +752,17 @@
}  		}
}  
}  	/*
} +	 * If the state is SYN_RCVD:
} +	 *	if seg contains an ACK, but not for our SYN,ACK, drop the input.
} +	 * Otherwise continue processing
} +	 */
} +	case TCPS_SYN_RECEIVED:
} +		if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
} +		    SEQ_GT(ti->ti_ack, tp->snd_max))
} +			goto dropwithreset;
} + 		break;  /* continue normal processing */

This is badly broken since this check should only be done if the ACK bit
is set.

} +
} +	/*
}  	 * If the state is SYN_SENT:
}  	 *	if seg contains an ACK, but not for our SYN, drop the input.
}  	 *	if seg contains a RST, then drop the connection.
} @@ -1171,9 +1182,7 @@
}  	 * send an RST.
}  	 */
}  	case TCPS_SYN_RECEIVED:
} -		if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
} -		    SEQ_GT(ti->ti_ack, tp->snd_max))
} -			goto dropwithreset;
} +		/* ACK validation was done earlier, before window trim */
}  
}  		tcpstat.tcps_connects++;
}  		soisconnected(so);
}-- End of excerpt from Don Lewis

I like the following patch better since it is both smaller and doesn't
require investigating all the different possible relationships between
sequence numbers.  Comments?

--- tcp_input.c.prev	Fri Nov 21 04:34:51 1997
+++ tcp_input.c	Fri Nov 21 16:32:10 1997
@@ -752,6 +752,18 @@
 		}
 
 	/*
+	 * If the state is SYN_RCVD:
+	 *	If seg contains a SYN,ACK, then drop it and send a RST.
+	 *	We should only ever get an ACK or a duplicate SYN (if our
+	 *	SYN,ACK was lost) in this state.
+	 * Otherwise continue processing
+	 */
+	case TCPS_SYN_RECEIVED:
+		if ((tiflags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK))
+			goto dropwithreset;
+ 		break;  /* continue normal processing */
+
+	/*
 	 * If the state is SYN_SENT:
 	 *	if seg contains an ACK, but not for our SYN, drop the input.
 	 *	if seg contains a RST, then drop the connection.