Re: Possible PAWS security vulnerability

From: Tim Traver (tt-list_at_simplenet.com)
Date: 05/20/05

  • Next message: mohan chandra: "How to setup IPSec tunnel between FreeBSD and Linux systems...?" 
    Date: Fri, 20 May 2005 10:24:33 -0700
To: Uwe Doering <gemini@geminix.org>

    Uwe,

    Thank you. That really answers my original question.

    As I said, this was not my patch, and I didn't really even ask for one,
    but Ted created it, and then acted like a jerk to get me to post it to
    you guys.

    Sorry to have taken your time.

    Tim.

    Uwe Doering wrote:

    > Tim Traver wrote:
    >
    >> Hello security gurus,
    >>
    >> yesterday, I mistakenly posted a question on the questions list about
    >> this article :
    >>
    >> http://www.securityfocus.com/bid/13676/info/
    >>
    >> which talks about a form of DOS vulnerability.
    >>
    >> I was curious as to the possibility of FreeBSD 5.x being affected,
    >> and if anyone was working on this or not.
    >>
    >> Ted Mittelstaedt posted this possible patch based upon the OpenBSD
    >> patch :
    >>
    >> in /usr/src/sys/netinet
    >>
    >> *** tcp_input.c.original Thu May 19 11:52:30 2005
    >> --- tcp_input.c Thu May 19 12:00:14 2005
    >> ***************
    >> *** 976,984 ****
    >> --- 976,992 ----
    >> * record the timestamp.
    >> * NOTE that the test is modified according to the latest
    >> * proposal of the tcplw@cray.com list (Braden
    >> 1993/04/26).
    >> + * NOTE2 additional check added as a result of PAWS
    >> vulnerability
    >> + * documented in Cisco security notice
    >> cisco-sn-20050518-tcpts
    >> + * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
    >> */
    >> if ((to.to_flags & TOF_TS) != 0 &&
    >> SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
    >> + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
    >> +
    >> + ((thflags & (TH_SYN|TH_FIN)) != 0)))
    >> + tp->ts_recent = to.to_tsval;
    >> + else
    >> + tp->ts_recent = 0;
    >> tp->ts_recent_age = ticks;
    >> tp->ts_recent = to.to_tsval;
    >> }
    >
    >
    > I wonder, what good does it do to set 'tp->ts_recent' conditionally if
    > you overwrite it with 'to.to_tsval' two lines later in any case. So
    > far, I'd say this patch looks faulty.
    >
    > Apart from that, why develop your own patch when there is one already
    > in CVS:
    >
    >
    > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=h
    >
    >
    > As far as I can tell there are good chances that it even applies
    > flawlessly to RELENG_4.
    >
    > Uwe

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: mohan chandra: "How to setup IPSec tunnel between FreeBSD and Linux systems...?"

    Relevant Pages

    • Re: panic caused by EVFILT_SIGNAL detaching in rfork()ed thread
      ... On Sat, 23 Oct 2004, Uwe Doering wrote: ... > Your patch appears to be an excerpt from the fix to RELENG_5. ... I agree with your patch. ...
      (freebsd-stable)
    • Possible PAWS security vulnerability
      ... which talks about a form of DOS vulnerability. ... I was curious as to the possibility of FreeBSD 5.x being affected, ... Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch: ...
      (FreeBSD-Security)
    • Re: Possible PAWS security vulnerability
      ... Tim Traver wrote: ... > Hello security gurus, ... > which talks about a form of DOS vulnerability. ... > Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch: ...
      (FreeBSD-Security)