Date: Thu, 01 May 2014 15:19:47 +0100 From: Karl Pielorz <kpielorz_lst@tdx.co.uk> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp Message-ID: <7A880FB5C3D1DA39692881FE@study64.tdx.co.uk> In-Reply-To: <201404300435.s3U4ZAw1093717@freefall.freebsd.org> References: <201404300435.s3U4ZAw1093717@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--On 30 April 2014 04:35:10 +0000 FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > II. Problem Description > > FreeBSD may add a reassemble queue entry on the stack into the segment > list when the reassembly queue reaches its limit. The memory from the > stack is undefined after the function returns. Subsequent iterations of > the reassembly function will attempt to access this entry. Hi, Does this require an established TCP session to be present? - i.e. If you have a host which provides no external TCP sessions (i.e. replies 'Connection Refused' / drops the initial SYN) would that still be potentially exploitable? What about boxes used as routers - that just forward the traffic (and again, offer no TCP services directly themselves)? -Karl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7A880FB5C3D1DA39692881FE>