[Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
jayanth
jayanth at yahoo-inc.com
Thu Apr 22 07:59:24 PDT 2004
Don Lewis (truckman at FreeBSD.org) wrote:
> On 21 Apr, Mike Silbersack wrote:
> >
> > On Wed, 21 Apr 2004, Don Lewis wrote:
> >
> >> > 1. Accept all RSTs meeting the criteria you just listed above.
> >>
> >> At this step, it would be better if we used the window size that was
> >> advertised it the last packet sent, since that is what the sequence
> >> number of the RST packet will be calculated from, while the window size
> >> could have increased if data was consumed from the receive queue between
> >> the time we sent the last packet and when we received the RST.
> >>
> >> It doesn't look like we keep the necessary data for this. Probably the
> >> easiest thing to do would be to calculate the expected sequence number
> >> in tcp_output() and stash it in the pcb.
> >
> > Do you have access to a system that exhibits the "RST at end of window"
> > syndrome so that you could code up and test out this part of the patch?
>
> Nope. The only report of this that I saw was from jayanth. Judging by
> the tcpdump timestamps, it looks like whatever this wierd piece of
> hardware was, it was nearby.
>
if i remember right this was done to handle the Alteons which
generate a RST segment that would fall within the window size but not the
next expected sequence no.
So they would do something crazy like rcv_nxt + rcv_win as the sequence no,
for the RST segment rather than rcv_nxt + 1.
This was part of the RFC though.
If it is a problem we can always revert it back.
jayanth
More information about the freebsd-security
mailing list