Date: Fri, 15 May 1998 10:31:11 +0600 (ESS) From: Vasim Valejev <vasim@diaspro.com> To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:03.ttcp Message-ID: <Pine.BSF.3.96.980515102150.13780B-100000@uddias.diaspro.com> In-Reply-To: <199805141958.VAA12382@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi !
On Thu, 14 May 1998, FreeBSD Security Officer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> =============================================================================
> FreeBSD-SA-98:03 Security Advisory
> FreeBSD, Inc.
>
> Topic: Problems with TTCP
>
[skip]
> --- tcp_input.c 1998/04/24 10:08:57 1.74
> +++ tcp_input.c 1998/05/04 17:59:52 1.75
> @@ -680,7 +680,9 @@
> * - otherwise do a normal 3-way handshake.
> */
> if ((to.to_flag & TOF_CC) != 0) {
> - if (taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) {
> + if (tp->t_state & TF_NOPUSH &&
> + taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) {
> +
> taop->tao_cc = to.to_cc;
> tp->t_state = TCPS_ESTABLISHED;
>
May be this fix will be better ?
Index: tcp_seq.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_seq.h,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 tcp_seq.h
*** tcp_seq.h 1997/11/27 05:36:24 1.1.1.1
--- tcp_seq.h 1998/05/15 03:57:46
***************
*** 57,63 ****
*/
#define CC_LT(a,b) ((int)((a)-(b)) < 0)
#define CC_LEQ(a,b) ((int)((a)-(b)) <= 0)
! #define CC_GT(a,b) ((int)((a)-(b)) > 0)
#define CC_GEQ(a,b) ((int)((a)-(b)) >= 0)
/* Macro to increment a CC: skip 0 which has a special meaning */
--- 57,63 ----
*/
#define CC_LT(a,b) ((int)((a)-(b)) < 0)
#define CC_LEQ(a,b) ((int)((a)-(b)) <= 0)
! #define CC_GT(a,b) ((int)((a)-(b)) == 1)
#define CC_GEQ(a,b) ((int)((a)-(b)) >= 0)
/* Macro to increment a CC: skip 0 which has a special meaning */
Index: tcp_usrreq.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_usrreq.c,v
retrieving revision 1.2
diff -c -r1.2 tcp_usrreq.c
*** tcp_usrreq.c 1998/01/31 08:51:46 1.2
--- tcp_usrreq.c 1998/05/15 03:56:42
***************
*** 603,616 ****
bzero(taop, sizeof(*taop));
}
! tp->cc_send = CC_INC(tcp_ccgen);
! if (taop->tao_ccsent != 0 &&
! CC_GEQ(tp->cc_send, taop->tao_ccsent)) {
! taop->tao_ccsent = tp->cc_send;
! } else {
! taop->tao_ccsent = 0;
tp->t_flags |= TF_SENDCCNEW;
! }
return 0;
}
--- 603,613 ----
bzero(taop, sizeof(*taop));
}
! if (taop->tao_ccsent == 0)
tp->t_flags |= TF_SENDCCNEW;
! tp->cc_send = CC_INC(taop->tao_ccsent);
! if (taop->tao_ccsent == 0)
! taop->tao_ccsent = tp->cc_send;
return 0;
}
After this fix TAO-test algorithm changed and any attempts use
rfc-1644's security hole will be rejected .
Vasim V. (2:5011/27 http://members.tripod.com/~Vasim VV86-RIPE)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980515102150.13780B-100000>