Date: Sun, 17 Dec 2000 09:59:14 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Kris Kennaway <kris@FreeBSD.org>, jesper@skriver.dk, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217095914.A61976@spawn.nectar.com> In-Reply-To: <17340.977045052@critter>; from phk@critter.freebsd.dk on Sun, Dec 17, 2000 at 10:24:12AM %2B0100 References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > In message <20001217012007.A18038@citusc.usc.edu>, Kris Kennaway writes: > >This sounds like a security hole since ICMP messages don't have a TCP > >sequence number meaning they can be trivially spoofed - am I wrong? > > There was some discussion on the list, and the result was that the > default is this behaviour is "off" for now. > > Since we only react to this in "SYN-SENT" I think the window of > opportunity is rather small in the first place... [ I haven't looked at the patch ] ICMP packets include the headers of the packets that `triggered' them, so we do have a sequence number. I think the correct thing to do is to pull the source address, destination address, source port, destination port, and sequence number from the ICMP message, and zap the corresponding connection IFF the sequence number is in the window. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217095914.A61976>