From owner-freebsd-stable  Tue Apr 30 21:47:52 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from patrocles.silby.com (d149.as9.nwbl0.wi.voyager.net [169.207.133.215])
	by hub.freebsd.org (Postfix) with ESMTP id BD35F37B405
	for <stable@FreeBSD.ORG>; Tue, 30 Apr 2002 21:47:47 -0700 (PDT)
Received: from patrocles.silby.com (localhost [127.0.0.1])
	by patrocles.silby.com (8.12.3/8.12.3) with ESMTP id g414mBUm033476;
	Tue, 30 Apr 2002 23:48:11 -0500 (CDT)
	(envelope-from silby@silby.com)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.12.3/8.12.3/Submit) with ESMTP id g414lsgi033473;
	Tue, 30 Apr 2002 23:48:10 -0500 (CDT)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Tue, 30 Apr 2002 23:47:54 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Garance A Drosihn <drosih@rpi.edu>
Cc: stable@FreeBSD.ORG
Subject: Re: Heads Up: Accept filters fixed
In-Reply-To: <p05111723b8f51b6e6633@[128.113.24.47]>
Message-ID: <20020430234550.M33460-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


On Wed, 1 May 2002, Garance A Drosihn wrote:

> At 11:07 PM -0500 4/30/02, Mike Silbersack wrote:
> >Just a quick note for those of you using accept filters with
> >a 4.4+ kernel using the syncache:  Your accept filters are
> >broken, and easily DoSable.
> >
> >The fix (attached) has now been committed to both 5.0 and 4.5,
> >so I recommend doing one of two things if you're using accept
> >filters:
>
> How seriously are they broken?
> Should this be MFC'ed into RELENG_4_5 ?  (security-patches branch)
>
> --
> Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu

Well, they're easily DoSable, but you can tell who's hogging the
connections with a simple netstat.  If someone wants to merge the change
to RELENG_4_5, that'd be fine with me, but I don't think it's security
advisory material.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message