[7830] in bugtraq
Re: FreeBSD's RST validation
daemon@ATHENA.MIT.EDU (Bruce A. Mah)
Mon Aug 31 18:51:52 1998
Date: Mon, 31 Aug 1998 11:24:36 -0700
Reply-To: bmah@CA.Sandia.GOV
From: "Bruce A. Mah" <bmah@CA.SANDIA.GOV>
X-To: Don Lewis <Don.Lewis@tsc.tdk.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 31 Aug 1998 06:06:36 PDT."
<199808311306.GAA27281@salsa.gv.tsc.tdk.com>
If memory serves me right, Don Lewis wrote:
> Back in December 1997, I posted the following patch for the LAND attack
> and also implemented stricter RST validation. The variation of the
> LAND fix in the first two chunks of this patch was implemented (you'll
> have to look carefully at the code to find the second chunk), but I don't
> believe the rest of the fixes in this patch were applied.
>
> I've been running a version of this patch altered for 2.1.x since December
> without problems. If you remove the first two chunks of this patch, it
> will apply cleanly to the 2.2-stable version of tcp_input.c, though I have
> no idea if it will work ...
[snip]
Personally, I had something a little less radical in mind. Here's some
context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to
security-officer@freebsd.org last night after some quick testing.
Now someone can tell me why this isn't the right solution. :-)
Bruce.
-----8<-----snip-----8<-----
*** tcp_input.c-dist Mon May 18 10:12:44 1998
--- tcp_input.c Sun Aug 30 21:22:32 1998
***************
*** 809,815 ****
goto dropwithreset;
}
if (tiflags & TH_RST) {
! if (tiflags & TH_ACK)
tp = tcp_drop(tp, ECONNREFUSED);
goto drop;
}
--- 809,818 ----
goto dropwithreset;
}
if (tiflags & TH_RST) {
! if ((tiflags & TH_ACK) &&
! /* XXX outside window? XXX */
! (SEQ_GT(ti->ti_ack, tp->iss) &&
! SEQ_LEQ(ti->ti_ack, tp->snd_max)))
tp = tcp_drop(tp, ECONNREFUSED);
goto drop;
}
***************
*** 1147,1152 ****
--- 1150,1159 ----
case TCPS_FIN_WAIT_1:
case TCPS_FIN_WAIT_2:
case TCPS_CLOSE_WAIT:
+ /* XXX outside window? XXX */
+ if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) ||
+ SEQ_LT(ti->ti_seq, tp->rcv_nxt))
+ goto drop;
so->so_error = ECONNRESET;
close:
tp->t_state = TCPS_CLOSED;
