[Midnightbsd-cvs] src [6653] MidnightBSD 0.4-RELEASE-p10

Wed Apr 30 08:23:07 EDT 2014

Revision: 6653
          http://svnweb.midnightbsd.org/src/?rev=6653
Author:   laffer1
Date:     2014-04-30 08:23:07 -0400 (Wed, 30 Apr 2014)
Log Message:
-----------
MidnightBSD 0.4-RELEASE-p10

        Fix a TCP reassembly bug that could result in a DOS attack
        of the system. It may be possible to obtain portions
        of kernel memory as well.

Modified Paths:
--------------
    stable/0.4/UPDATING
    stable/0.4/sys/conf/newvers.sh
    stable/0.4/sys/netinet/tcp_reass.c

Property Changed:
----------------
    stable/0.4/sys/netinet/tcp_reass.c

Modified: stable/0.4/UPDATING
===================================================================

--- stable/0.4/UPDATING	2014-04-30 12:20:44 UTC (rev 6652)
+++ stable/0.4/UPDATING	2014-04-30 12:23:07 UTC (rev 6653)
@@ -1,5 +1,12 @@
 Updating Information for MidnightBSD users.
 
+20140430:
+	0.4-RELEASE-p10
+
+        Fix a TCP reassembly bug that could result in a DOS attack
+        of the system. It may be possible to obtain portions
+        of kernel memory as well.
+
 20140409:
 	0.4-RELEASE-p9
 

Modified: stable/0.4/sys/conf/newvers.sh
===================================================================
--- stable/0.4/sys/conf/newvers.sh	2014-04-30 12:20:44 UTC (rev 6652)
+++ stable/0.4/sys/conf/newvers.sh	2014-04-30 12:23:07 UTC (rev 6653)
@@ -33,7 +33,7 @@
 
 TYPE="MidnightBSD"
 REVISION="0.4"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: stable/0.4/sys/netinet/tcp_reass.c
===================================================================
--- stable/0.4/sys/netinet/tcp_reass.c	2014-04-30 12:20:44 UTC (rev 6652)
+++ stable/0.4/sys/netinet/tcp_reass.c	2014-04-30 12:23:07 UTC (rev 6653)
@@ -211,7 +211,7 @@
 	 * Investigate why and re-evaluate the below limit after the behaviour
 	 * is understood.
 	 */
-	if (th->th_seq != tp->rcv_nxt &&
+	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
 		V_tcp_reass_overflows++;
 		TCPSTAT_INC(tcps_rcvmemdrop);
@@ -234,7 +234,7 @@
 	 */
 	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
 	if (te == NULL) {
-		if (th->th_seq != tp->rcv_nxt) {
+		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
 			TCPSTAT_INC(tcps_rcvmemdrop);
 			m_freem(m);
 			*tlenp = 0;
@@ -282,7 +282,8 @@
 				TCPSTAT_INC(tcps_rcvduppack);
 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
 				m_freem(m);
-				uma_zfree(V_tcp_reass_zone, te);
+				if (te != &tqs)
+					uma_zfree(V_tcp_reass_zone, te);
 				tp->t_segqlen--;
 				/*
 				 * Try to present any queued data


Property changes on: stable/0.4/sys/netinet/tcp_reass.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.5
\ No newline at end of property
