Date: Tue, 25 Jan 2000 10:36:10 -0700 From: Warner Losh <imp@village.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: security@FreeBSD.ORG Subject: Re: Merged patches Message-ID: <200001251736.KAA04666@harmony.village.org> In-Reply-To: Your message of "Tue, 25 Jan 2000 09:33:16 PST." <200001251733.JAA04770@apollo.backplane.com> References: <200001251733.JAA04770@apollo.backplane.com> <200001251637.JAA04226@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200001251733.JAA04770@apollo.backplane.com> Matthew Dillon writes:
: I'd increase the default to 200, no higher. 1000 is probably too
: high a rate.
ok.
: I found a bug in the patch:
:
: : #endif
: :- if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
: :- goto drop;
: :+ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
: :+ IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
: :+ IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))
: : #ifdef INET6
: : if (isipv6) {
: : MALLOC(sin6, struct sockaddr_in6 *, sizeof *sin6,
:
: In the above section, the 'goto drop' was removed. Shouldn't that stay
: in? The body of this 'if' statement is now the conditional that
: follows it, which is not what I think you meant to do.
You are right.... Uggg, the indenting there is somewhat less than
optimal. Will have ot fix that later. However, here's the corrected
patch.
Warner
Index: netinet/tcp_input.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
retrieving revision 1.103
diff -u -r1.103 tcp_input.c
--- netinet/tcp_input.c 2000/01/15 14:56:35 1.103
+++ netinet/tcp_input.c 2000/01/25 17:35:13
@@ -615,10 +615,6 @@
break;
}
}
-#ifdef ICMP_BANDLIM
- if (badport_bandlim(1) < 0)
- goto drop;
-#endif
if (blackhole) {
switch (blackhole) {
case 1:
@@ -631,11 +627,11 @@
goto drop;
}
}
- goto dropwithreset;
+ goto maybedropwithreset;
}
tp = intotcpcb(inp);
if (tp == 0)
- goto dropwithreset;
+ goto maybedropwithreset;
if (tp->t_state == TCPS_CLOSED)
goto drop;
@@ -695,7 +691,7 @@
*/
if (thflags & TH_ACK) {
tcpstat.tcps_badsyn++;
- goto dropwithreset;
+ goto maybedropwithreset;
}
goto drop;
}
@@ -772,7 +768,7 @@
*/
if (thflags & TH_ACK) {
tcpstat.tcps_badsyn++;
- goto dropwithreset;
+ goto maybedropwithreset;
}
goto drop;
}
@@ -999,7 +995,7 @@
if (thflags & TH_RST)
goto drop;
if (thflags & TH_ACK)
- goto dropwithreset;
+ goto maybedropwithreset;
if ((thflags & TH_SYN) == 0)
goto drop;
if (th->th_dport == th->th_sport) {
@@ -1017,16 +1013,22 @@
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
* in_broadcast() should never return true on a received
* packet with M_BCAST not set.
+ *
+ * Packets with a multicast source address should also
+ * be discarded.
*/
if (m->m_flags & (M_BCAST|M_MCAST))
goto drop;
#ifdef INET6
if (isipv6) {
- if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst))
+ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
+ IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
goto drop;
} else
#endif
- if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
+ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
+ IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
+ IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))
goto drop;
#ifdef INET6
if (isipv6) {
@@ -1187,7 +1189,7 @@
if ((thflags & TH_ACK) &&
(SEQ_LEQ(th->th_ack, tp->snd_una) ||
SEQ_GT(th->th_ack, tp->snd_max)))
- goto dropwithreset;
+ goto maybedropwithreset;
break;
/*
@@ -1529,7 +1531,7 @@
* for the "LAND" DoS attack.
*/
if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(th->th_seq, tp->irs))
- goto dropwithreset;
+ goto maybedropwithreset;
todrop = tp->rcv_nxt - th->th_seq;
if (todrop > 0) {
@@ -2192,7 +2194,7 @@
if (tp->t_state == TCPS_SYN_RECEIVED && (thflags & TH_ACK) &&
(SEQ_GT(tp->snd_una, th->th_ack) ||
SEQ_GT(th->th_ack, tp->snd_max)) )
- goto dropwithreset;
+ goto maybedropwithreset;
#ifdef TCPDEBUG
if (so->so_options & SO_DEBUG)
tcp_trace(TA_DROP, ostate, tp, (void *)tcp_saveipgen,
@@ -2203,6 +2205,17 @@
(void) tcp_output(tp);
return;
+
+ /*
+ * Conditionally drop with reset or just drop depending on whether
+ * we think we are under attack or not.
+ */
+maybedropwithreset:
+#ifdef ICMP_BANDLIM
+ if (badport_bandlim(1) < 0)
+ goto drop;
+#endif
+ /* fall through */
dropwithreset:
#ifdef TCP_RESTRICT_RST
if (restrict_rst)
@@ -2217,11 +2230,14 @@
goto drop;
#ifdef INET6
if (isipv6) {
- if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst))
+ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
+ IN6_IS_ADDR_MULTICAST(&ip6->ip6_src))
goto drop;
} else
#endif /* INET6 */
- if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
+ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
+ IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
+ IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))
goto drop;
/* IPv6 anycast check is done at tcp6_input() */
#ifdef TCPDEBUG
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001251736.KAA04666>