3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
219 lines
7.8 KiB
Text
219 lines
7.8 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-98:01 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: LAND attack can cause harm to running FreeBSD systems
|
|
|
|
Category: core
|
|
Module: kern
|
|
Announced: 1997-12-01
|
|
Affects: FreeBSD 2.1.*, FreeBSD 2.2.0R, 2.2.1R, 2.2.5R
|
|
FreeBSD-stable and FreeBSD-current
|
|
Doesn't Affect: FreeBSD 2.2.2R
|
|
Corrected: FreeBSD 2.2.6R, FreeBSD-current as of Jan 21, 1998
|
|
FreeBSD-stable as of Jan 30, 1998
|
|
FreeBSD only: no
|
|
|
|
Patches: ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:01/
|
|
|
|
=============================================================================
|
|
IMPORTANT MESSAGE: The FreeBSD advisory archive has moved from
|
|
ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/CERT
|
|
=============================================================================
|
|
|
|
I. Background
|
|
|
|
In most TCP stacks state is kept based on the source and
|
|
destination address of a packet received.
|
|
|
|
II. Problem Description
|
|
|
|
A problem exists in most FreeBSD derived stacks that allows a
|
|
malicious user to send a packet that causes the sytsem to lock
|
|
up, thus producing a denial of service attack.
|
|
|
|
III. Impact
|
|
|
|
Any person on the Internet who can send a FreeBSD machine a
|
|
packet can cause it to lock up and be taken out of service.
|
|
|
|
IV. Workaround
|
|
|
|
A firewall can be used to filter packets from the Internet that
|
|
appear to be from your local network. This will not eliminate
|
|
the threat, but will eliminate external attacks.
|
|
|
|
V. Solution
|
|
|
|
Apply the enclosed patch. There are two patches, one for FreeBSD
|
|
-current, and another for FreeBSD 2.2-stable.
|
|
|
|
patch for -current prior to Jan 21, 1998. Found in land-current.
|
|
|
|
Index: tcp_input.c
|
|
===================================================================
|
|
RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
|
|
retrieving revision 1.67
|
|
retrieving revision 1.68
|
|
diff -u -r1.67 -r1.68
|
|
--- tcp_input.c 1997/12/19 23:46:15 1.67
|
|
+++ tcp_input.c 1998/01/21 02:05:59 1.68
|
|
@@ -626,6 +613,7 @@
|
|
* If the state is LISTEN then ignore segment if it contains an RST.
|
|
* If the segment contains an ACK then it is bad and send a RST.
|
|
* If it does not contain a SYN then it is not interesting; drop it.
|
|
+ * If it is from this socket, drop it, it must be forged.
|
|
* Don't bother responding if the destination was a broadcast.
|
|
* Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
|
|
* tp->iss, and send a segment:
|
|
@@ -644,6 +632,9 @@
|
|
goto dropwithreset;
|
|
if ((tiflags & TH_SYN) == 0)
|
|
goto drop;
|
|
+ if ((ti->ti_dport == ti->ti_sport) &&
|
|
+ (ti->ti_dst.s_addr == ti->ti_src.s_addr))
|
|
+ goto drop;
|
|
/*
|
|
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
|
* in_broadcast() should never return true on a received
|
|
@@ -762,6 +753,23 @@
|
|
}
|
|
|
|
/*
|
|
+ * If the state is SYN_RECEIVED:
|
|
+ * if seg contains SYN/ACK, send a RST.
|
|
+ * if seg contains an ACK, but not for our SYN/ACK, send a RST.
|
|
+ */
|
|
+ case TCPS_SYN_RECEIVED:
|
|
+ if (tiflags & TH_ACK) {
|
|
+ if (tiflags & TH_SYN) {
|
|
+ tcpstat.tcps_badsyn++;
|
|
+ goto dropwithreset;
|
|
+ }
|
|
+ if (SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
|
|
+ SEQ_GT(ti->ti_ack, tp->snd_max))
|
|
+ goto dropwithreset;
|
|
+ }
|
|
+ break;
|
|
+
|
|
+ /*
|
|
* If the state is SYN_SENT:
|
|
* if seg contains an ACK, but not for our SYN, drop the input.
|
|
* if seg contains a RST, then drop the connection.
|
|
@@ -1176,14 +1184,11 @@
|
|
switch (tp->t_state) {
|
|
|
|
/*
|
|
- * In SYN_RECEIVED state if the ack ACKs our SYN then enter
|
|
- * ESTABLISHED state and continue processing, otherwise
|
|
- * send an RST.
|
|
+ * In SYN_RECEIVED state, the ack ACKs our SYN, so enter
|
|
+ * ESTABLISHED state and continue processing.
|
|
+ * The ACK was checked above.
|
|
*/
|
|
case TCPS_SYN_RECEIVED:
|
|
- if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
|
|
- SEQ_GT(ti->ti_ack, tp->snd_max))
|
|
- goto dropwithreset;
|
|
|
|
tcpstat.tcps_connects++;
|
|
soisconnected(so);
|
|
|
|
patch for 2.2.5 and 2.2.5-stable before Jan 30, 1998 found in land-22
|
|
|
|
Index: tcp_input.c
|
|
===================================================================
|
|
RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
|
|
retrieving revision 1.54.2.6
|
|
retrieving revision 1.54.2.7
|
|
diff -u -r1.54.2.6 -r1.54.2.7
|
|
--- tcp_input.c 1997/11/20 21:45:34 1.54.2.6
|
|
+++ tcp_input.c 1998/01/30 19:13:55 1.54.2.7
|
|
@@ -627,6 +614,7 @@
|
|
* If the state is LISTEN then ignore segment if it contains an RST.
|
|
* If the segment contains an ACK then it is bad and send a RST.
|
|
* If it does not contain a SYN then it is not interesting; drop it.
|
|
+ * If it is from this socket, drop it, it must be forged.
|
|
* Don't bother responding if the destination was a broadcast.
|
|
* Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
|
|
* tp->iss, and send a segment:
|
|
@@ -646,6 +634,9 @@
|
|
goto dropwithreset;
|
|
if ((tiflags & TH_SYN) == 0)
|
|
goto drop;
|
|
+ if ((ti->ti_dport == ti->ti_sport) &&
|
|
+ (ti->ti_dst.s_addr == ti->ti_src.s_addr))
|
|
+ goto drop;
|
|
/*
|
|
* RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
|
|
* in_broadcast() should never return true on a received
|
|
@@ -765,6 +756,23 @@
|
|
}
|
|
|
|
/*
|
|
+ * If the state is SYN_RECEIVED:
|
|
+ * if seg contains SYN/ACK, send a RST.
|
|
+ * if seg contains an ACK, but not for our SYN/ACK, send a RST.
|
|
+ */
|
|
+ case TCPS_SYN_RECEIVED:
|
|
+ if (tiflags & TH_ACK) {
|
|
+ if (tiflags & TH_SYN) {
|
|
+ tcpstat.tcps_badsyn++;
|
|
+ goto dropwithreset;
|
|
+ }
|
|
+ if (SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
|
|
+ SEQ_GT(ti->ti_ack, tp->snd_max))
|
|
+ goto dropwithreset;
|
|
+ }
|
|
+ break;
|
|
+
|
|
+ /*
|
|
* If the state is SYN_SENT:
|
|
* if seg contains an ACK, but not for our SYN, drop the input.
|
|
* if seg contains a RST, then drop the connection.
|
|
@@ -1179,14 +1187,11 @@
|
|
switch (tp->t_state) {
|
|
|
|
/*
|
|
- * In SYN_RECEIVED state if the ack ACKs our SYN then enter
|
|
- * ESTABLISHED state and continue processing, otherwise
|
|
- * send an RST.
|
|
+ * In SYN_RECEIVED state, the ack ACKs our SYN, so enter
|
|
+ * ESTABLISHED state and continue processing.
|
|
+ * The ACK was checked above.
|
|
*/
|
|
case TCPS_SYN_RECEIVED:
|
|
- if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
|
|
- SEQ_GT(ti->ti_ack, tp->snd_max))
|
|
- goto dropwithreset;
|
|
|
|
tcpstat.tcps_connects++;
|
|
soisconnected(so);
|
|
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: security@freebsd.org
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBNQg21FUuHi5z0oilAQFsYAP/TSdBmRb90H9/JqCvM/7pn1FOngoJgLPV
|
|
GzEBEKe1cbeY5tOY/rCLPVX3g+JjRjPFkMICaTYk0JdFEO29CLhw5qoX/OAm4M+M
|
|
erMJvXUJ3SPaEAEgK7zh5c73t9I4573Rbp1IxU3uZiqVSc3myJxCtFa4ZW2O6zkm
|
|
G57fsHlGRKo=
|
|
=4fC3
|
|
-----END PGP SIGNATURE-----
|