Date: Thu, 3 Sep 1998 15:02:06 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: bmah@CA.Sandia.GOV, BUGTRAQ@netspace.org Cc: security@FreeBSD.ORG Subject: Re: FreeBSD's RST validation Message-ID: <199809032202.PAA05032@salsa.gv.tsc.tdk.com> In-Reply-To: "Bruce A. Mah" <bmah@CA.Sandia.GOV> "Re: FreeBSD's RST validation" (Aug 31, 7:58pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 31, 7:58pm, "Bruce A. Mah" wrote:
} Subject: Re: FreeBSD's RST validation
} If memory serves me right, Don Lewis wrote:
}
} > Now that I look at this change some more, I think your added tests are
} > a NOP because of the code just above this:
} >
} > if ((tiflags & TH_ACK) &&
} > (SEQ_LEQ(ti->ti_ack, tp->iss) ||
} > SEQ_GT(ti->ti_ack, tp->snd_max))) {
} > [ snip comment ]
} > if (taop->tao_ccsent != 0)
} > goto drop;
} > else
} > goto dropwithreset;
} >
} > If the ACK is outside the window, the packet will already have been
} > dropped before we even look for the RST flag.
}
} Ah, yes. You're absolutely right. So it appears only the second of the
} original patches is useful (if it's correct, that is).
Alas, the second part won't work either. The reason is that earlier in
tcp_input() the code that trims the packet to fit the window adjusts
the sequence number.
todrop = tp->rcv_nxt - ti->ti_seq;
if (todrop > 0) {
[snip]
m_adj(m, todrop);
ti->ti_seq += todrop;
ti->ti_len -= todrop;
[snip]
}
so if the sequence number is less than rcv_nxt, it will always be set to
rcv_nxt by the time this code gets through with it.
***************
*** 1147,1152 ****
--- 1150,1159 ----
case TCPS_FIN_WAIT_1:
case TCPS_FIN_WAIT_2:
case TCPS_CLOSE_WAIT:
+ /* XXX outside window? XXX */
+ if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) ||
+ SEQ_LT(ti->ti_seq, tp->rcv_nxt))
+ goto drop;
so->so_error = ECONNRESET;
close:
tp->t_state = TCPS_CLOSED;
It appears that the RST sequence validation must be done before the packet
is trimmed to fit the window (which my patch does).
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809032202.PAA05032>