Possible PAWS security vulnerability

Tim Traver tt-list at simplenet.com
Fri May 20 17:28:29 GMT 2005 

Uwe,

Thank you. That really answers my original question.

As I said, this was not my patch, and I didn't really even ask for one, 
but Ted created it, and then acted like a jerk to get me to post it to 
you guys.

Sorry to have taken your time.

Tim.


Uwe Doering wrote:

> Tim Traver wrote:
>
>> Hello security gurus,
>>
>> yesterday, I mistakenly posted a question on the questions list about 
>> this article :
>>
>> http://www.securityfocus.com/bid/13676/info/
>>
>> which talks about a form of DOS vulnerability.
>>
>> I was curious as to the possibility of FreeBSD 5.x being affected, 
>> and if anyone was working on this or not.
>>
>> Ted Mittelstaedt posted this possible patch based upon the OpenBSD 
>> patch :
>>
>> in /usr/src/sys/netinet
>>
>> *** tcp_input.c.original        Thu May 19 11:52:30 2005
>> --- tcp_input.c Thu May 19 12:00:14 2005
>> ***************
>> *** 976,984 ****
>> --- 976,992 ----
>>                 * record the timestamp.
>>                 * NOTE that the test is modified according to the latest
>>                 * proposal of the tcplw at cray.com list (Braden 
>> 1993/04/26).
>> +                * NOTE2 additional check added as a result of PAWS 
>> vulnerability
>> +                * documented in Cisco security notice 
>> cisco-sn-20050518-tcpts
>> +                * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
>>                 */
>>                if ((to.to_flags & TOF_TS) != 0 &&
>>                    SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
>> +                       if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
>> +
>> +                               ((thflags & (TH_SYN|TH_FIN)) != 0)))
>> +                                 tp->ts_recent = to.to_tsval;
>> +                       else
>> +                               tp->ts_recent = 0;
>>                        tp->ts_recent_age = ticks;
>>                        tp->ts_recent = to.to_tsval;
>>                }
>
>
> I wonder, what good does it do to set 'tp->ts_recent' conditionally if 
> you overwrite it with 'to.to_tsval' two lines later in any case.  So 
> far, I'd say this patch looks faulty.
>
> Apart from that, why develop your own patch when there is one already 
> in CVS:
>
>
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h 
>
>
> As far as I can tell there are good chances that it even applies 
> flawlessly to RELENG_4.
>
>    Uwe

More information about the freebsd-security mailing list