Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jan 2000 12:03:35 +1100 (Australia/NSW)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        brett@lariat.org (Brett Glass)
Cc:        avalon@coombs.anu.edu.au (Darren Reed), imp@village.org (Warner Losh), jamiE@arpa.com (jamiE rishaw - master e*tard), tom@uniserve.com (Tom), mike@sentex.net (Mike Tancsa), freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, security-officer@FreeBSD.ORG
Subject:   Re: bugtraq posts: stream.c - new FreeBSD exploit?
Message-ID:  <200001210103.MAA20844@cairo.anu.edu.au>
In-Reply-To: <4.2.2.20000120174826.01882ad0@localhost> from "Brett Glass" at Jan 20, 2000 05:51:19 PM

next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Brett Glass, sie said:
> 
> Darren:
> 
> Glad to see you are in on this discussion.
> 
> The code you use for the "keep state" option in IPFilters might be
> able to recognize that the ACK does not belong to an existing
> connection. Could a fast check be implemented as a rule under 
> IPFilters? (If it could, it's probably a one-liner, but I'd need
> to figure out how to write it since I do not deal with IPFilters
> on a regular basis.) If not, it seems as if the framework might
> mostly be in place in your code.

If you're using "flags S keep state" or "flags S/SA keep state",
then as far as I'm aware, having read the code, you are safe.

I'm intrigued to know what the bug is.  Reading the code, it is
hard to see how you could make a box fall over using it, unless
there were some serious problems in how random TCP ACK's were
handled.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001210103.MAA20844>