[7841] in bugtraq
Re: FreeBSD's RST validation
daemon@ATHENA.MIT.EDU (Don Lewis)
Tue Sep 1 15:43:44 1998
Date: Mon, 31 Aug 1998 14:56:55 -0700
Reply-To: Don Lewis <Don.Lewis@TSC.TDK.COM>
From: Don Lewis <Don.Lewis@TSC.TDK.COM>
X-To: bmah@CA.Sandia.GOV
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: bmah@CA.Sandia.GOV (Bruce A. Mah) "Re: FreeBSD's RST validation"
(Aug 31, 1:26pm)
On Aug 31, 1:26pm, Bruce A. Mah wrote:
} Subject: Re: FreeBSD's RST validation
} If memory serves me right, Don Lewis wrote:
}
} > On Aug 31, 11:24am, Bruce A. Mah wrote:
}
} [snip]
}
} > } if (tiflags & TH_RST) {
} > } ! if ((tiflags & TH_ACK) &&
} > } ! /* XXX outside window? XXX */
} > } ! (SEQ_GT(ti->ti_ack, tp->iss) &&
} > } ! SEQ_LEQ(ti->ti_ack, tp->snd_max)))
} > } tp = tcp_drop(tp, ECONNREFUSED);
} > } goto drop;
} > } }
} >
} > As more data is sent across the connection, the wider the window for
} > a spoofed RST opens. Once you send 2 GB, legitimate RSTs no longer
} > work. You should probably be comparing against tp->snd_una instead
} > of tp->iss.
}
} Hmmm. I was thinking specifically of the problem that with a RST arriving for
} a connection in SYN_SENT, the ACK in the RST-bearing segment has to
} acknowledge the initial SYN (thus, a test against tp->iss). I hadn't thought
} that the ever-increasing difference between tp->snd_una and tp->iss would be a
} problem, since at this point in the code, we know that the receiving end of
} the connection is in SYN_SENT, as opposed to, say, ESTABLISHED. Shouldn't
} (tp->snd_una == tp->iss) in this state, in which case, either would do? (Not
} trying to split hairs, but just trying to learn a little more.)
Hmn, it's been a while since I looked at this stuff. Yup, I didn't notice
that this was the SYN_SENT state and was thinking this was ESTABLISHED.
Now that I look at this change some more, I think your added tests are
a NOP because of the code just above this:
if ((tiflags & TH_ACK) &&
(SEQ_LEQ(ti->ti_ack, tp->iss) ||
SEQ_GT(ti->ti_ack, tp->snd_max))) {
[ snip comment ]
if (taop->tao_ccsent != 0)
goto drop;
else
goto dropwithreset;
If the ACK is outside the window, the packet will already have been
dropped before we even look for the RST flag.
