svn commit: r293910 - head/sys/netinet

[Gleb Smirnoff]

Author: glebius
Date: Thu Jan 14 10:22:45 2016
New Revision: 293910
URL: https://svnweb.freebsd.org/changeset/base/293910

Log:
  There is a bug in tcp_output()'s implementation of the TCP_SIGNATURE
  (RFC 2385/TCP-MD5) kernel option.
  
  If a tcpcb has TF_NOOPT flag, then tcp_addoptions() is not called,
  and to.to_signature is an uninitialized stack variable. The value
  is later used as write offset, which leads to writing to random
  address.
  
  Submitted by:	rstone, jtl
  Security:	SA-16:05.tcp

Modified:
  head/sys/netinet/tcp_output.c

Modified: head/sys/netinet/tcp_output.c
==============================================================================
--- head/sys/netinet/tcp_output.c	Thu Jan 14 10:16:25 2016	(r293909)
+++ head/sys/netinet/tcp_output.c	Thu Jan 14 10:22:45 2016	(r293910)
@@ -752,8 +752,8 @@ send:
 	 * segments.  Options for SYN-ACK segments are handled in TCP
 	 * syncache.
 	 */
+	to.to_flags = 0;
 	if ((tp->t_flags & TF_NOOPT) == 0) {
-		to.to_flags = 0;
 		/* Maximum segment size. */
 		if (flags & TH_SYN) {
 			tp->snd_nxt = tp->iss;
@@ -1233,7 +1233,7 @@ send:
 		tp->snd_up = tp->snd_una;		/* drag it along */
 
 #ifdef TCP_SIGNATURE
-	if (tp->t_flags & TF_SIGNATURE) {
+	if (to.to_flags & TOF_SIGNATURE) {
 		int sigoff = to.to_signature - opt;
 		tcp_signature_compute(m, 0, len, optlen,
 		    (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
@@ -1713,6 +1713,7 @@ tcp_addoptions(struct tcpopt *to, u_char
 			bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr));
 			optp += sizeof(to->to_tsecr);
 			break;
+#ifdef TCP_SIGNATURE
 		case TOF_SIGNATURE:
 			{
 			int siglen = TCPOLEN_SIGNATURE - 2;
@@ -1731,6 +1732,7 @@ tcp_addoptions(struct tcpopt *to, u_char
 				 *optp++ = 0;
 			break;
 			}
+#endif
 		case TOF_SACK:
 			{
 			int sackblks = 0;