Andre Oppermann wrote:
Harti Brandt wrote:
Hi Andre,
On Mon, 17 Nov 2008, Andre Oppermann wrote:
AO>This is a bit more complicated because of interactions with
tcp_input()
AO>where syncache_expand() is called from.
AO>
AO>The old code (as of December 2002) behaved slightly different. It
would
AO>not remove the syncache entry when (SND.UNA == SEG.ACK) but send a
RST.
AO>The (RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND) test wasn't
done at
AO>all. Instead a socket was opened whenever (SND.UNA == SEG.ACK)
succeeded.
AO>This gave way to the "LAND" DoS attack which was mostly fixed with
a test
AO>for (RCV.IRS < SEG.SEQ).
AO>
AO>See the attached patch for fixed version of syncache_expand().
This patch
AO>is untested though. My development machine is currently down.
Harti, Rui
AO>and Bjoern, please have a look at the patch and review it.
Some small problems:
...
Need another cast here: *lsop = (struct socket *)1.
Changed the logic to use a NULL *lsop to differentiate in tcp_input().
Much simpler.
Turns out there is a bug in the patch: after the call to
syncache_lookup() at test sc == NULL is made and if sc == NULL and may
goto sendrst:
sendrst:
if (sc != &scs)
syncache_free(sc);
Here syncache_free panics because of the NULL passed to it. I suppose
both gotos under the if() should go to sendrstkeep instead.
harti
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
