CVS commit: [netbsd-9] src/sys/netinet

Tue, 08 Oct 2024 04:27:42 -0700 

Module Name:    src
Committed By:   martin
Date:           Tue Oct  8 11:27:36 UTC 2024

Modified Files:
        src/sys/netinet [netbsd-9]: tcp_input.c

Log Message:
Pull up following revision(s) (requested by rin in ticket #1894):

        sys/netinet/tcp_input.c: revision 1.441

tcp_reass: Mitigate CVE-2018-6922 (SegmentSmack)
at a level of FreeBSD, by introducing an arbitrary (100) limit to
the length of TCP reassembly queues:
https://github.com/freebsd/freebsd-src/commit/95a914f6316874f5b0c45d491f2843dc810071ef

Originally authored by ryo@.

We thank Tomoyuki Sahara <tsahara at iij>, who has analyzed the
problem again, updated the patch, and carried out experiments for
vulnerability scenarios. The confidential PR below is based on
his work.

PR security/58708


To generate a diff of this commit:
cvs rdiff -u -r1.414.2.4 -r1.414.2.5 src/sys/netinet/tcp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.414.2.4 src/sys/netinet/tcp_input.c:1.414.2.5
--- src/sys/netinet/tcp_input.c:1.414.2.4	Sun Sep 13 12:18:16 2020
+++ src/sys/netinet/tcp_input.c	Tue Oct  8 11:27:36 2024
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.414.2.4 2020/09/13 12:18:16 martin Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.414.2.5 2024/10/08 11:27:36 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.414.2.4 2020/09/13 12:18:16 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.414.2.5 2024/10/08 11:27:36 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -237,6 +237,8 @@ int	tcp_autorcvbuf_inc = 16 * 1024;
 int	tcp_autorcvbuf_max = 256 * 1024;
 int	tcp_msl = (TCPTV_MSL / PR_SLOWHZ);
 
+int tcp_reass_maxqueuelen = 100;
+
 static int tcp_rst_ppslim_count = 0;
 static struct timeval tcp_rst_ppslim_last;
 static int tcp_ackdrop_ppslim_count = 0;
@@ -707,6 +709,13 @@ tcp_reass(struct tcpcb *tp, const struct
 #endif
 
 insert_it:
+	/* limit tcp segments per reassembly queue */
+	if (tp->t_segqlen > tcp_reass_maxqueuelen) {
+		TCP_STATINC(TCP_STAT_RCVMEMDROP);
+		m_freem(m);
+		goto out;
+	}
+
 	/*
 	 * Allocate a new queue entry (block) since the received segment
 	 * did not collapse onto any other out-of-order block. If it had

Reply via email to