[Midnightbsd-cvs] src [7420] stable/0.7/sys/netinet/tcp_output.c: TCP MD5 signature denial of service fix

Thu Jan 14 08:25:46 EST 2016

Revision: 7420
          http://svnweb.midnightbsd.org/src/?rev=7420
Author:   laffer1
Date:     2016-01-14 08:25:45 -0500 (Thu, 14 Jan 2016)
Log Message:
-----------
TCP MD5 signature denial of service fix

Modified Paths:
--------------
    stable/0.7/UPDATING
    stable/0.7/sys/netinet/tcp_output.c

Property Changed:
----------------
    stable/0.7/

Index: stable/0.7
===================================================================

--- stable/0.7	2016-01-14 13:14:41 UTC (rev 7419)
+++ stable/0.7	2016-01-14 13:25:45 UTC (rev 7420)

Property changes on: stable/0.7
___________________________________________________________________
Modified: svn:mergeinfo
## -1 +1 ##
-/trunk:7416
\ No newline at end of property
+/trunk:7416,7419
\ No newline at end of property
Modified: stable/0.7/UPDATING
===================================================================
--- stable/0.7/UPDATING	2016-01-14 13:14:41 UTC (rev 7419)
+++ stable/0.7/UPDATING	2016-01-14 13:25:45 UTC (rev 7420)
@@ -4,6 +4,11 @@
 	0.7.2 RELEASE
 	Fix a security issue with bsnmpd configuration file installation.
 
+	TCP MD5 signature denial of service
+
+        A programming error in processing a TCP connection with both TCP_MD5SIG
+        and TCP_NOOPT socket options may lead to kernel crash.
+
 20151002:
 	Revised rpcbind(8) patch to fix issues with NIS
 
@@ -16,7 +21,6 @@
         of the two netbuf structures is freed, access to the other netbuf structure
         would result in an undefined result that may crash the rpcbind(8) daemon.
 
-
 20150919:	
 	0.7 RELEASE
 

Modified: stable/0.7/sys/netinet/tcp_output.c
===================================================================
--- stable/0.7/sys/netinet/tcp_output.c	2016-01-14 13:14:41 UTC (rev 7419)
+++ stable/0.7/sys/netinet/tcp_output.c	2016-01-14 13:25:45 UTC (rev 7420)
@@ -676,8 +676,8 @@
 	 * segments.  Options for SYN-ACK segments are handled in TCP
 	 * syncache.
 	 */
+	to.to_flags = 0;
 	if ((tp->t_flags & TF_NOOPT) == 0) {
-		to.to_flags = 0;
 		/* Maximum segment size. */
 		if (flags & TH_SYN) {
 			tp->snd_nxt = tp->iss;
@@ -1047,7 +1047,7 @@
 		tp->snd_up = tp->snd_una;		/* drag it along */
 
 #ifdef TCP_SIGNATURE
-	if (tp->t_flags & TF_SIGNATURE) {
+	if (to.to_flags & TOF_SIGNATURE) {
 		int sigoff = to.to_signature - opt;
 		tcp_signature_compute(m, 0, len, optlen,
 		    (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
@@ -1456,6 +1456,7 @@
 			bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr));
 			optp += sizeof(to->to_tsecr);
 			break;
+#ifdef TCP_SIGNATURE
 		case TOF_SIGNATURE:
 			{
 			int siglen = TCPOLEN_SIGNATURE - 2;
@@ -1474,6 +1475,7 @@
 				 *optp++ = 0;
 			break;
 			}
+#endif
 		case TOF_SACK:
 			{
 			int sackblks = 0;

