Possible PAWS security vulnerability
Tim Traver
tt-list at simplenet.com
Fri May 20 17:28:29 GMT 2005
Uwe,
Thank you. That really answers my original question.
As I said, this was not my patch, and I didn't really even ask for one,
but Ted created it, and then acted like a jerk to get me to post it to
you guys.
Sorry to have taken your time.
Tim.
Uwe Doering wrote:
> Tim Traver wrote:
>
>> Hello security gurus,
>>
>> yesterday, I mistakenly posted a question on the questions list about
>> this article :
>>
>> http://www.securityfocus.com/bid/13676/info/
>>
>> which talks about a form of DOS vulnerability.
>>
>> I was curious as to the possibility of FreeBSD 5.x being affected,
>> and if anyone was working on this or not.
>>
>> Ted Mittelstaedt posted this possible patch based upon the OpenBSD
>> patch :
>>
>> in /usr/src/sys/netinet
>>
>> *** tcp_input.c.original Thu May 19 11:52:30 2005
>> --- tcp_input.c Thu May 19 12:00:14 2005
>> ***************
>> *** 976,984 ****
>> --- 976,992 ----
>> * record the timestamp.
>> * NOTE that the test is modified according to the latest
>> * proposal of the tcplw at cray.com list (Braden
>> 1993/04/26).
>> + * NOTE2 additional check added as a result of PAWS
>> vulnerability
>> + * documented in Cisco security notice
>> cisco-sn-20050518-tcpts
>> + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
>> */
>> if ((to.to_flags & TOF_TS) != 0 &&
>> SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
>> + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
>> +
>> + ((thflags & (TH_SYN|TH_FIN)) != 0)))
>> + tp->ts_recent = to.to_tsval;
>> + else
>> + tp->ts_recent = 0;
>> tp->ts_recent_age = ticks;
>> tp->ts_recent = to.to_tsval;
>> }
>
>
> I wonder, what good does it do to set 'tp->ts_recent' conditionally if
> you overwrite it with 'to.to_tsval' two lines later in any case. So
> far, I'd say this patch looks faulty.
>
> Apart from that, why develop your own patch when there is one already
> in CVS:
>
>
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h
>
>
> As far as I can tell there are good chances that it even applies
> flawlessly to RELENG_4.
>
> Uwe
More information about the freebsd-security
mailing list