From owner-freebsd-security  Fri Nov 21 22:27:24 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id WAA16378
          for security-outgoing; Fri, 21 Nov 1997 22:27:24 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA16372
          for <security@FreeBSD.ORG>; Fri, 21 Nov 1997 22:27:19 -0800 (PST)
          (envelope-from avalon@coombs.anu.edu.au)
Message-Id: <199711220627.WAA16372@hub.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA105579965; Sat, 22 Nov 1997 17:26:05 +1100
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: new TCP/IP bug in win95 (fwd)g
To: Don.Lewis@tsc.tdk.com (Don Lewis)
Date: Sat, 22 Nov 1997 17:26:05 +1100 (EDT)
Cc: Don.Lewis@tsc.tdk.com, jas@flyingfox.com, robert@cyrus.watson.org,
        security@FreeBSD.ORG
In-Reply-To: <199711220037.QAA16107@salsa.gv.tsc.tdk.com> from "Don Lewis" at Nov 21, 97 04:37:17 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

In some mail from Don Lewis, sie said:
> 
> I like the following patch better since it is both smaller and doesn't
> require investigating all the different possible relationships between
> sequence numbers.  Comments?
> 
> --- tcp_input.c.prev	Fri Nov 21 04:34:51 1997
> +++ tcp_input.c	Fri Nov 21 16:32:10 1997
> @@ -752,6 +752,18 @@
>  		}
>  
>  	/*
> +	 * If the state is SYN_RCVD:
> +	 *	If seg contains a SYN,ACK, then drop it and send a RST.
> +	 *	We should only ever get an ACK or a duplicate SYN (if our
> +	 *	SYN,ACK was lost) in this state.
> +	 * Otherwise continue processing
> +	 */
> +	case TCPS_SYN_RECEIVED:
> +		if ((tiflags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK))
> +			goto dropwithreset;
> + 		break;  /* continue normal processing */
> +
> +	/*
>  	 * If the state is SYN_SENT:
>  	 *	if seg contains an ACK, but not for our SYN, drop the input.
>  	 *	if seg contains a RST, then drop the connection.

Hmmm, "doesn't require" checking seq/ack #'s ?

The seq/ack numbers make up 66% of the validation that a TCP packet is part
of an active stream.  The other 33% is the source and destination port.