mbuf vulnerability

Mike Silbersack silby at silby.com
Tue Mar 2 12:59:34 PST 2004


On Wed, 3 Mar 2004, Darren Reed wrote:

> > > "strict" requires that the sequence number in packet n should match
> > > what that sequence number of the last byte in packet n-1 - i.e. no
> > > out of order delivery is permitted.
> > >
> > > Darren
> Right, so your comment about it "not working" applies to 3.x (which
> is what comes with freebsd, currently), which is what i was hoping :)
>
> My comment was to say that with ipf4, you can address this problem.
>
> darren

Ok, that sounds correct.  However, it would have an adverse performance
impact in the normal case.  Have you considered having an "almost strict"
option that would allow maybe 3 or 4 out of order segments through?  That
would be a great feature. :)

Mike "Silby" Silbersack


More information about the freebsd-security mailing list