From owner-freebsd-stable Thu Jan 20 17: 4: 5 2000 Delivered-To: freebsd-stable@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 810CD15291; Thu, 20 Jan 2000 17:03:53 -0800 (PST) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id MAA20844; Fri, 21 Jan 2000 12:03:35 +1100 (EST) From: Darren Reed Message-Id: <200001210103.MAA20844@cairo.anu.edu.au> Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? To: brett@lariat.org (Brett Glass) Date: Fri, 21 Jan 2000 12:03:35 +1100 (Australia/NSW) Cc: avalon@coombs.anu.edu.au (Darren Reed), imp@village.org (Warner Losh), jamiE@arpa.com (jamiE rishaw - master e*tard), tom@uniserve.com (Tom), mike@sentex.net (Mike Tancsa), freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, security-officer@FreeBSD.ORG In-Reply-To: <4.2.2.20000120174826.01882ad0@localhost> from "Brett Glass" at Jan 20, 2000 05:51:19 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In some mail from Brett Glass, sie said: > > Darren: > > Glad to see you are in on this discussion. > > The code you use for the "keep state" option in IPFilters might be > able to recognize that the ACK does not belong to an existing > connection. Could a fast check be implemented as a rule under > IPFilters? (If it could, it's probably a one-liner, but I'd need > to figure out how to write it since I do not deal with IPFilters > on a regular basis.) If not, it seems as if the framework might > mostly be in place in your code. If you're using "flags S keep state" or "flags S/SA keep state", then as far as I'm aware, having read the code, you are safe. I'm intrigued to know what the bug is. Reading the code, it is hard to see how you could make a box fall over using it, unless there were some serious problems in how random TCP ACK's were handled. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message