[Midnightbsd-cvs] src [6651] trunk/sys/netinet/tcp_reass.c: Fix a TCP reassembly bug that could result in a DOS attack.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Apr 30 08:19:25 EDT 2014
Revision: 6651
http://svnweb.midnightbsd.org/src/?rev=6651
Author: laffer1
Date: 2014-04-30 08:19:24 -0400 (Wed, 30 Apr 2014)
Log Message:
-----------
Fix a TCP reassembly bug that could result in a DOS attack.
Obtained from: FreeBSD
Modified Paths:
--------------
trunk/sys/netinet/tcp_reass.c
Property Changed:
----------------
trunk/sys/netinet/tcp_reass.c
Modified: trunk/sys/netinet/tcp_reass.c
===================================================================
--- trunk/sys/netinet/tcp_reass.c 2014-04-22 11:15:32 UTC (rev 6650)
+++ trunk/sys/netinet/tcp_reass.c 2014-04-30 12:19:24 UTC (rev 6651)
@@ -211,7 +211,7 @@
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -234,7 +234,7 @@
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -282,7 +282,8 @@
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
Property changes on: trunk/sys/netinet/tcp_reass.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.5
\ No newline at end of property
More information about the Midnightbsd-cvs
mailing list