Date: Fri, 20 May 2005 10:24:33 -0700 From: Tim Traver <tt-list@simplenet.com> To: Uwe Doering <gemini@geminix.org> Cc: freebsd-security@freebsd.org Subject: Re: Possible PAWS security vulnerability Message-ID: <428E1D51.8060105@simplenet.com> In-Reply-To: <428E1B96.3020306@geminix.org> References: <428E0FD2.3070200@simplenet.com> <428E1B96.3020306@geminix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Uwe, Thank you. That really answers my original question. As I said, this was not my patch, and I didn't really even ask for one, but Ted created it, and then acted like a jerk to get me to post it to you guys. Sorry to have taken your time. Tim. Uwe Doering wrote: > Tim Traver wrote: > >> Hello security gurus, >> >> yesterday, I mistakenly posted a question on the questions list about >> this article : >> >> http://www.securityfocus.com/bid/13676/info/ >> >> which talks about a form of DOS vulnerability. >> >> I was curious as to the possibility of FreeBSD 5.x being affected, >> and if anyone was working on this or not. >> >> Ted Mittelstaedt posted this possible patch based upon the OpenBSD >> patch : >> >> in /usr/src/sys/netinet >> >> *** tcp_input.c.original Thu May 19 11:52:30 2005 >> --- tcp_input.c Thu May 19 12:00:14 2005 >> *************** >> *** 976,984 **** >> --- 976,992 ---- >> * record the timestamp. >> * NOTE that the test is modified according to the latest >> * proposal of the tcplw@cray.com list (Braden >> 1993/04/26). >> + * NOTE2 additional check added as a result of PAWS >> vulnerability >> + * documented in Cisco security notice >> cisco-sn-20050518-tcpts >> + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch >> */ >> if ((to.to_flags & TOF_TS) != 0 && >> SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { >> + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen >> + >> + ((thflags & (TH_SYN|TH_FIN)) != 0))) >> + tp->ts_recent = to.to_tsval; >> + else >> + tp->ts_recent = 0; >> tp->ts_recent_age = ticks; >> tp->ts_recent = to.to_tsval; >> } > > > I wonder, what good does it do to set 'tp->ts_recent' conditionally if > you overwrite it with 'to.to_tsval' two lines later in any case. So > far, I'd say this patch looks faulty. > > Apart from that, why develop your own patch when there is one already > in CVS: > > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h > > > As far as I can tell there are good chances that it even applies > flawlessly to RELENG_4. > > Uwe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?428E1D51.8060105>