Recent full disclosure post - Local DOS
Tom Judge
tom at tomjudge.com
Mon Jan 31 17:43:32 UTC 2011
On 01/28/2011 01:27 PM, John Baldwin wrote:
> On Friday, January 28, 2011 12:38:22 pm Tom Judge wrote:
>> On 01/28/2011 11:09 AM, John Baldwin wrote:
>>> On Friday, January 28, 2011 11:08:37 am Tom Judge wrote:
>>>> On 01/28/2011 08:29 AM, Tom Judge wrote:
>>>>>
>>>>> Has anyone looked at this:
>>>>>
>>>>> [Full-disclosure] FreeBSD local denial of service - forced reboot
>>>>>
>>>>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-
>>> January/078836.html
>>>>>
<SNIP>
>>
>> Hi John,
>>
>> I can't repeat this with the code you sent. I tried this in a while (1)
>> loop and had 4 instances running without issue.
>
> Humm. That is the only setsockopt for TCP that can trigger a call to
> tcp_output().
>
Hi John,
I have just updated my test box to r218019.
Without your patch the issue is still present.
With your patch it seems to be fine (It passed 100 iterations of the
code in the post).
Tom
> I have a possible fix I'm just not sure if it is completely correct:
>
> Index: tcp_usrreq.c
> ===================================================================
> --- tcp_usrreq.c (revision 218018)
> +++ tcp_usrreq.c (working copy)
> @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s
> tp->t_flags |= TF_NOPUSH;
> else {
> tp->t_flags &= ~TF_NOPUSH;
> - error = tcp_output(tp);
> + if (TCPS_HAVEESTABLISHED(tp->t_state))
> + error = tcp_output(tp);
> }
> INP_WUNLOCK(inp);
> break;
>
--
TJU13-ARIN
More information about the freebsd-security
mailing list