From owner-freebsd-security  Fri Jan 21 15:22:47 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248])
	by hub.freebsd.org (Postfix) with ESMTP id BF59B15602
	for <security@freebsd.org>; Fri, 21 Jan 2000 15:22:44 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com (mailhub [198.206.181.70])
	by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id PAA21395;
	Fri, 21 Jan 2000 15:21:35 -0800 (PST)
X-Origination-Site: <ind.alcatel.com>
Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id PAA11170; Fri, 21 Jan 2000 15:21:35 -0800
Received: from softweyr.com (dyn1.utah.xylan.com [198.206.184.237])
	by omni.xylan.com (8.9.3+Sun/8.9.1 (Xylan engr [SPOOL])) with ESMTP id PAA07286;
	Fri, 21 Jan 2000 15:20:11 -0800 (PST)
Message-ID: <3888EB02.7FFB4DA5@softweyr.com>
Date: Fri, 21 Jan 2000 16:25:54 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Brett Glass <brett@lariat.org>
Cc: Jared Mauch <jared@puck.nether.net>,
	TrouBle <trouble@netquick.net>, security@freebsd.org
Subject: Re: stream.c worst-case kernel paths
References: <4.2.2.20000121143004.01908960@localhost>
	 <4.2.2.20000121140941.01a68b30@localhost>
	 <200001211415.BAA12772@cairo.anu.edu.au>
	 <20000121.16082400@bastille.netquick.net>
	 <3888C7D2.D82BE362@softweyr.com>
	 <4.2.2.20000121140941.01a68b30@localhost>
	 <20000121162059.Y30675@puck.nether.net>
	 <4.2.2.20000121143004.01908960@localhost> <4.2.2.20000121145537.019bf610@localhost>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Brett Glass wrote:
> 
> I can see that in icmp.c, there is a test that prevents us from
> sending an ICMP packet to a multicast address. And in tcp_input.c,
> the code near the label "dropwithreset" prevents a RST from being
> sent in response to a packet whose DESTINATION was a multicast
> address. But I don't see anything that stops it from going
> out when the SOURCE was a multicast address. So TCP attempts
> to send a RST to that address (something that should be
> fixed!). Maybe this is one of the reasons why TCP_RESTRICT_RST
> seems to help defeat this exploit.
> 
> [Side note: It occurs to me that George may not have tried the
> -random option in his tests, and therefore might not have
> seen this.]

That agrees with what I've seen here.  I think TCP should quietly drop
any TCP packets whose source or destination is not a unicast address;
they are obviously badly formatted packets that can be nothing but evil.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message