Date: Tue, 19 Dec 2000 19:19:29 +0100 From: Jesper Skriver <jesper@skriver.dk> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Poul-Henning Kamp <phk@critter.freebsd.dk>, security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001219191929.D40568@skriver.dk> In-Reply-To: <200012191425.GAA14731@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Tue, Dec 19, 2000 at 06:25:46AM -0800 References: <20001218182600.C1856@skriver.dk> <200012191425.GAA14731@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 19, 2000 at 06:25:46AM -0800, Don Lewis wrote:
> In the other states, RFC 793 says that the RST sanity checking is done by
> comparing the sequence number of the of the incoming RST packet against
> the transmit window (our outgoing acknowledgement numbers). The host
> sending the RST is supposed to copy the acknowledgement number from
> an incoming packet to the sequence number of the outgoing RST packet.
> This presents a bit of a problem if we try to do the same thing with ICMP,
> since it appears that the acknowledgement number is trimmed off the the
> data that is returned in the ICMP packet.
>
> It's been too long a day for me to figure out the security implications
> of nuking non-SYN-SENT connections based on the sequence number (which
> would still be better than nuking these connections without any additional
> checking). If we want to do this, the test should probably be:
>
> if (SEQ_LEQ(tcp_sequence, tp->snd_una) ||
> SEQ_GT(tcp_sequence, tp->snd_max)) {
>
> though someone needs to check this for fencepost errors.
It should be
if (SEQ_LT(tcp_sequence, tp->snd_una) ||
SEQ_GT(tcp_sequence, tp->snd_max)) {
As the sequence number will be == tp->snd_una when the window is zero.
I'll submit a new later tonight, as I havn't heard anything, I'll make a
sysctl control if it should have effect on all sessions, or only those
in SYN-SENT state, defaulting to those in SYN-SENT state only.
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219191929.D40568>