Date: Fri, 21 Nov 1997 16:37:17 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Don Lewis <Don.Lewis@tsc.tdk.com>, Jim Shankland <jas@flyingfox.com>, robert@cyrus.watson.org Cc: security@FreeBSD.ORG Subject: Re: new TCP/IP bug in win95 (fwd) Message-ID: <199711220037.QAA16107@salsa.gv.tsc.tdk.com> In-Reply-To: Don Lewis <Don.Lewis@tsc.tdk.com> "Re: new TCP/IP bug in win95 (fwd)" (Nov 21, 5:00am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 21, 5:00am, Don Lewis wrote: } Subject: Re: new TCP/IP bug in win95 (fwd) } } I think something like this (untested) patch should do the trick: } } --- tcp_input.c.prev Fri Nov 21 04:34:51 1997 } +++ tcp_input.c Fri Nov 21 05:00:07 1997 } @@ -752,6 +752,17 @@ } } } } /* } + * If the state is SYN_RCVD: } + * if seg contains an ACK, but not for our SYN,ACK, drop the input. } + * Otherwise continue processing } + */ } + case TCPS_SYN_RECEIVED: } + if (SEQ_GT(tp->snd_una, ti->ti_ack) || } + SEQ_GT(ti->ti_ack, tp->snd_max)) } + goto dropwithreset; } + break; /* continue normal processing */ This is badly broken since this check should only be done if the ACK bit is set. } + } + /* } * If the state is SYN_SENT: } * if seg contains an ACK, but not for our SYN, drop the input. } * if seg contains a RST, then drop the connection. } @@ -1171,9 +1182,7 @@ } * send an RST. } */ } case TCPS_SYN_RECEIVED: } - if (SEQ_GT(tp->snd_una, ti->ti_ack) || } - SEQ_GT(ti->ti_ack, tp->snd_max)) } - goto dropwithreset; } + /* ACK validation was done earlier, before window trim */ } } tcpstat.tcps_connects++; } soisconnected(so); }-- End of excerpt from Don Lewis I like the following patch better since it is both smaller and doesn't require investigating all the different possible relationships between sequence numbers. Comments? --- tcp_input.c.prev Fri Nov 21 04:34:51 1997 +++ tcp_input.c Fri Nov 21 16:32:10 1997 @@ -752,6 +752,18 @@ } /* + * If the state is SYN_RCVD: + * If seg contains a SYN,ACK, then drop it and send a RST. + * We should only ever get an ACK or a duplicate SYN (if our + * SYN,ACK was lost) in this state. + * Otherwise continue processing + */ + case TCPS_SYN_RECEIVED: + if ((tiflags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) + goto dropwithreset; + break; /* continue normal processing */ + + /* * If the state is SYN_SENT: * if seg contains an ACK, but not for our SYN, drop the input. * if seg contains a RST, then drop the connection.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711220037.QAA16107>