From owner-svn-src-all@FreeBSD.ORG Wed Apr 30 04:05:50 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A24B6F6B; Wed, 30 Apr 2014 04:05:50 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C5B611CB; Wed, 30 Apr 2014 04:05:50 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3U45oTK014547; Wed, 30 Apr 2014 04:05:50 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3U45mtu014533; Wed, 30 Apr 2014 04:05:48 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201404300405.s3U45mtu014533@svn.freebsd.org> From: Xin LI Date: Wed, 30 Apr 2014 04:05:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r265125 - in releng: 8.3 8.3/sys/conf 8.3/sys/netinet 8.4 8.4/sys/conf 8.4/sys/netinet 9.1 9.1/sys/conf 9.1/sys/netinet 9.2 9.2/sys/conf 9.2/sys/netinet X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 04:05:50 -0000 Author: delphij Date: Wed Apr 30 04:05:47 2014 New Revision: 265125 URL: http://svnweb.freebsd.org/changeset/base/265125 Log: Fix TCP reassembly vulnerability. Security: FreeBSD-SA-14:08.tcp Security: CVE-2014-3000 Approved by: so Modified: releng/8.3/UPDATING releng/8.3/sys/conf/newvers.sh releng/8.3/sys/netinet/tcp_reass.c releng/8.4/UPDATING releng/8.4/sys/conf/newvers.sh releng/8.4/sys/netinet/tcp_reass.c releng/9.1/UPDATING releng/9.1/sys/conf/newvers.sh releng/9.1/sys/netinet/tcp_reass.c releng/9.2/UPDATING releng/9.2/sys/conf/newvers.sh releng/9.2/sys/netinet/tcp_reass.c Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.3/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20140430: p16 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p15 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/8.3/sys/conf/newvers.sh ============================================================================== --- releng/8.3/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.3/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.3" -BRANCH="RELEASE-p15" +BRANCH="RELEASE-p16" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.3/sys/netinet/tcp_reass.c ============================================================================== --- releng/8.3/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.3/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.4/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20140430: p9 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p8 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.4/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.4/sys/netinet/tcp_reass.c ============================================================================== --- releng/8.4/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/8.4/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data Modified: releng/9.1/UPDATING ============================================================================== --- releng/9.1/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.1/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -9,6 +9,10 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140430: p12 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p11 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/9.1/sys/conf/newvers.sh ============================================================================== --- releng/9.1/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.1/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p11" +BRANCH="RELEASE-p12" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.1/sys/netinet/tcp_reass.c ============================================================================== --- releng/9.1/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.1/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data Modified: releng/9.2/UPDATING ============================================================================== --- releng/9.2/UPDATING Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.2/UPDATING Wed Apr 30 04:05:47 2014 (r265125) @@ -11,6 +11,10 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140430: p5 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p4 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] Modified: releng/9.2/sys/conf/newvers.sh ============================================================================== --- releng/9.2/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.2/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.2" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.2/sys/netinet/tcp_reass.c ============================================================================== --- releng/9.2/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124) +++ releng/9.2/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125) @@ -205,7 +205,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -228,7 +228,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -276,7 +276,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data