Hi all,
With respect to the bugs describe in
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
*<quote>
*
SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
*Description:*?It is possible to send a crafted sequence of SACKs which
will fragment the RACK send map. An attacker may be able to further
exploit the fragmented send map to cause an expensive linked-list walk
for subsequent SACKs received for that same TCP connection.
*Workaround #1:*?Apply the patch?split_limit.patch
<https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/split_limit.patch>?and
set the?|net.inet.tcp.rack.split_limit|?sysctl to a reasonable value to
limit the size of the SACK table.
*Workaround #2:*?Temporarily disable the RACK TCP stack.
(Note that either workaround should be sufficient on its own. It is not
necessary to apply both workarounds.)
*</quote>*
*How does I know if this is enabled in my default kernel on RELENG_12 ?
There is some vague mention in various forums this is not the default on
FreeBSD ? Can anyone shed more light as to how this does/does not impact
FreeBSD ?
*
*
*
*??? ---Mike
*
mike tancsa <mike at sentex.net> writes:> *How does I know if this is enabled in my default kernel on RELENG_12 ? > There is some vague mention in various forums this is not the default on > FreeBSD ? Can anyone shed more light as to how this does/does not impact > FreeBSD ?If the net.inet.tcp.functions_default sysctl doesn't list "rack", you don't have to worry about it. As far as I can see from a quick look at my source tree, you would have to load a module to use it.
On 06/18/19 at 10:33P, mike tancsa wrote:> Hi all, > With respect to the bugs describe in > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > *<quote> > SACK Slowness (FreeBSD 12 using the RACK TCP Stack)[snip]> > *</quote>* > > *How does I know if this is enabled in my default kernel on RELENG_12 ? > There is some vague mention in various forums this is not the default on > FreeBSD ? Can anyone shed more light as to how this does/does not impact > FreeBSD ?RACK is one of the tcp stacks ($src/sys/netinet/tcp_stacks) and not enabled by default. So, by default, FreeBSD is not affected, afaict. This advisory is for when you do use RACK. Cheers, Hiren -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 618 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190618/0e3190fd/attachment.sig>