Possible PAWS security vulnerability
Uwe Doering
gemini at geminix.org
Fri May 20 17:17:18 GMT 2005
Tim Traver wrote:
> Hello security gurus,
>
> yesterday, I mistakenly posted a question on the questions list about
> this article :
>
> http://www.securityfocus.com/bid/13676/info/
>
> which talks about a form of DOS vulnerability.
>
> I was curious as to the possibility of FreeBSD 5.x being affected, and
> if anyone was working on this or not.
>
> Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch :
>
> in /usr/src/sys/netinet
>
> *** tcp_input.c.original Thu May 19 11:52:30 2005
> --- tcp_input.c Thu May 19 12:00:14 2005
> ***************
> *** 976,984 ****
> --- 976,992 ----
> * record the timestamp.
> * NOTE that the test is modified according to the latest
> * proposal of the tcplw at cray.com list (Braden 1993/04/26).
> + * NOTE2 additional check added as a result of PAWS
> vulnerability
> + * documented in Cisco security notice
> cisco-sn-20050518-tcpts
> + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
> */
> if ((to.to_flags & TOF_TS) != 0 &&
> SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
> + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
> +
> + ((thflags & (TH_SYN|TH_FIN)) != 0)))
> + tp->ts_recent = to.to_tsval;
> + else
> + tp->ts_recent = 0;
> tp->ts_recent_age = ticks;
> tp->ts_recent = to.to_tsval;
> }
I wonder, what good does it do to set 'tp->ts_recent' conditionally if
you overwrite it with 'to.to_tsval' two lines later in any case. So
far, I'd say this patch looks faulty.
Apart from that, why develop your own patch when there is one already in
CVS:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h
As far as I can tell there are good chances that it even applies
flawlessly to RELENG_4.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org | http://www.escapebox.net
More information about the freebsd-security
mailing list