From owner-freebsd-security  Sat Jan 22 18:47:44 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1F92914D78
	for <security@FreeBSD.ORG>; Sat, 22 Jan 2000 18:47:42 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id SAA26919;
	Sat, 22 Jan 2000 18:47:39 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id SAA58488;
	Sat, 22 Jan 2000 18:47:38 -0800 (PST)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id SAA18398;
	Sat, 22 Jan 2000 18:47:38 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200001230247.SAA18398@salsa.gv.tsc.tdk.com>
Date: Sat, 22 Jan 2000 18:47:38 -0800
In-Reply-To: <4.2.2.20000122081057.01992100@localhost>
References: <Your message of "Sat, 22 Jan 2000 00:29:21 -0700"> <4.2.2.20000122002353.019b9c10@localhost> <4.2.2.20000122081057.01992100@localhost>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: Brett Glass <brett@lariat.org>
Subject: Re: stream.c worst-case kernel paths
Cc: security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jan 22,  8:19am, Brett Glass wrote:
} Subject: Re: stream.c worst-case kernel paths

} RST+SYN and RST+FIN should definitely be dropped. I don't know what
} one would do with RST+URG or RST+PSH; I would tend to think that
} one would want to drop these rather than letting them modify 
} the state of any connection, since they could be part of an
} attack.

It's probably not worth the code to handle these in any special
way.  The FIN, URG, and PSH bits are looked at except for normal
data packets that have gotten pretty far into the code.  If the
RST bit is set, the packet will be diverted into a different path.

To do any harm with any of these bits, an attacker has to be able to
be able to get past the sequence number checks, and if the attacker
can to that the game is over no matter what sort of additional sanity
checks one tries to implement.  The only real additional protection is
called IPSEC.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message