Hello security gurus, yesterday, I mistakenly posted a question on the questions list about this article : http://www.securityfocus.com/bid/13676/info/ which talks about a form of DOS vulnerability. I was curious as to the possibility of FreeBSD 5.x being affected, and if anyone was working on this or not. Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch : in /usr/src/sys/netinet *** tcp_input.c.original Thu May 19 11:52:30 2005 --- tcp_input.c Thu May 19 12:00:14 2005 *************** *** 976,984 **** --- 976,992 ---- * record the timestamp. * NOTE that the test is modified according to the latest * proposal of the tcplw@cray.com list (Braden 1993/04/26). + * NOTE2 additional check added as a result of PAWS vulnerability + * documented in Cisco security notice cisco-sn-20050518-tcpts + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch */ if ((to.to_flags & TOF_TS) != 0 && SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen + + ((thflags & (TH_SYN|TH_FIN)) != 0))) + tp->ts_recent = to.to_tsval; + else + tp->ts_recent = 0; tp->ts_recent_age = ticks; tp->ts_recent = to.to_tsval; } After I basically let Ted know that I wouldn't know how to test the patch, because I don't even know how to break it in the first place, he went on a tirade calling me a troll, and all sorts of nasty accusations and general belittlement. I hope that you don't have to work with him on a regular basis, because he appears to be the definition of the word "dickhead." Tim.
Tim Traver wrote:> Hello security gurus, > > yesterday, I mistakenly posted a question on the questions list about > this article : > > http://www.securityfocus.com/bid/13676/info/ > > which talks about a form of DOS vulnerability. > > I was curious as to the possibility of FreeBSD 5.x being affected, and > if anyone was working on this or not. > > Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch : > > in /usr/src/sys/netinet > > *** tcp_input.c.original Thu May 19 11:52:30 2005 > --- tcp_input.c Thu May 19 12:00:14 2005 > *************** > *** 976,984 **** > --- 976,992 ---- > * record the timestamp. > * NOTE that the test is modified according to the latest > * proposal of the tcplw@cray.com list (Braden 1993/04/26). > + * NOTE2 additional check added as a result of PAWS > vulnerability > + * documented in Cisco security notice > cisco-sn-20050518-tcpts > + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch > */ > if ((to.to_flags & TOF_TS) != 0 && > SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { > + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen > + > + ((thflags & (TH_SYN|TH_FIN)) != 0))) > + tp->ts_recent = to.to_tsval; > + else > + tp->ts_recent = 0; > tp->ts_recent_age = ticks; > tp->ts_recent = to.to_tsval; > }I wonder, what good does it do to set 'tp->ts_recent' conditionally if you overwrite it with 'to.to_tsval' two lines later in any case. So far, I'd say this patch looks faulty. Apart from that, why develop your own patch when there is one already in CVS: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h As far as I can tell there are good chances that it even applies flawlessly to RELENG_4. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net