Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Aug 1998 11:55:07 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        bmah@CA.Sandia.GOV
Cc:        Tristan Horn <tristan+-eyixqg@ETHEREAL.NET>, BUGTRAQ@netspace.org, security@FreeBSD.ORG
Subject:   Re: FreeBSD's RST validation
Message-ID:  <199808311855.LAA28095@salsa.gv.tsc.tdk.com>
In-Reply-To: bmah@CA.Sandia.GOV (Bruce A. Mah) "Re: FreeBSD's RST validation" (Aug 31, 11:24am)
next in thread | raw e-mail | index | archive | help 
On Aug 31, 11:24am, Bruce A. Mah wrote:
} Subject: Re: FreeBSD's RST validation
} 
} Personally, I had something a little less radical in mind.  Here's some 
} context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to 
} security-officer@freebsd.org last night after some quick testing.
} 
} Now someone can tell me why this isn't the right solution.  :-)
} 
} Bruce.
} 
} -----8<-----snip-----8<-----
} 
} *** tcp_input.c-dist	Mon May 18 10:12:44 1998
} --- tcp_input.c	Sun Aug 30 21:22:32 1998
} ***************
} *** 809,815 ****
}   				goto dropwithreset;
}   		}
}   		if (tiflags & TH_RST) {
} ! 			if (tiflags & TH_ACK)
}   				tp = tcp_drop(tp, ECONNREFUSED);
}   			goto drop;
}   		}
} --- 809,818 ----
}   				goto dropwithreset;
}   		}
}   		if (tiflags & TH_RST) {
} ! 			if ((tiflags & TH_ACK) &&
} ! 			/* XXX outside window? XXX */
} ! 			    (SEQ_GT(ti->ti_ack, tp->iss) && 
} ! 			     SEQ_LEQ(ti->ti_ack, tp->snd_max)))
}   				tp = tcp_drop(tp, ECONNREFUSED);
}   			goto drop;
}   		}

As more data is sent across the connection, the wider the window for
a spoofed RST opens.  Once you send 2 GB, legitimate RSTs no longer
work.  You should probably be comparing against tp->snd_una instead
of tp->iss.

} ***************
} *** 1147,1152 ****
} --- 1150,1159 ----
}   	case TCPS_FIN_WAIT_1:
}   	case TCPS_FIN_WAIT_2:
}   	case TCPS_CLOSE_WAIT:
} + 		/* XXX outside window? XXX */
} + 		if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) ||
} + 		    SEQ_LT(ti->ti_seq, tp->rcv_nxt))
} + 		    goto drop;
}   		so->so_error = ECONNRESET;
}   	close:
}   		tp->t_state = TCPS_CLOSED;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808311855.LAA28095>