On Tue, Dec 19, 2000 at 06:25:46AM -0800, Don Lewis wrote:
> In the other states, RFC 793 says that the RST sanity checking is done by
> comparing the sequence number of the of the incoming RST packet against
> the transmit window (our outgoing acknowledgement numbers). The host
> sending the RST is supposed to copy the acknowledgement number from
> an incoming packet to the sequence number of the outgoing RST packet.
> This presents a bit of a problem if we try to do the same thing with ICMP,
> since it appears that the acknowledgement number is trimmed off the the
> data that is returned in the ICMP packet.
>
> It's been too long a day for me to figure out the security implications
> of nuking non-SYN-SENT connections based on the sequence number (which
> would still be better than nuking these connections without any additional
> checking). If we want to do this, the test should probably be:
>
> if (SEQ_LEQ(tcp_sequence, tp->snd_una) ||
> SEQ_GT(tcp_sequence, tp->snd_max)) {
>
> though someone needs to check this for fencepost errors.
It should be
if (SEQ_LT(tcp_sequence, tp->snd_una) ||
SEQ_GT(tcp_sequence, tp->snd_max)) {
As the sequence number will be == tp->snd_una when the window is zero.
I'll submit a new later tonight, as I havn't heard anything, I'll make a
sysctl control if it should have effect on all sessions, or only those
in SYN-SENT state, defaulting to those in SYN-SENT state only.
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
