Date: Sun, 25 Apr 2004 19:56:31 -0700 (PDT) From: Mike Silbersack <silby@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet tcp_input.c tcp_var.h Message-ID: <200404260256.i3Q2uV18048208@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
silby 2004/04/25 19:56:31 PDT
FreeBSD src repository
Modified files:
sys/netinet tcp_input.c tcp_var.h
Log:
Tighten up reset handling in order to make reset attacks as difficult as
possible while maintaining compatibility with the widest range of TCP stacks.
The algorithm is as follows:
---
For connections in the ESTABLISHED state, only resets with
sequence numbers exactly matching last_ack_sent will cause a reset,
all other segments will be silently dropped.
For connections in all other states, a reset anywhere in the window
will cause the connection to be reset. All other segments will be
silently dropped.
---
The necessity of accepting all in-window resets was discovered
by jayanth and jlemon, both of whom have seen TCP stacks that
will respond to FIN-ACK packets with resets not meeting the
strict last_ack_sent check.
Idea by: Darren Reed
Reviewed by: truckman, jlemon, others(?)
Revision Changes Path
1.235 +10 -0 src/sys/netinet/tcp_input.c
1.105 +1 -0 src/sys/netinet/tcp_var.h
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404260256.i3Q2uV18048208>