Author: delphij
Date: Wed Apr 30 04:02:57 2014
New Revision: 265121
URL: http://svnweb.freebsd.org/changeset/base/265121
Log:
Fix TCP reassembly vulnerability.
Patch done by: glebius
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Modified:
head/sys/netinet/tcp_reass.c
Modified: head/sys/netinet/tcp_reass.c
==============================================================================
--- head/sys/netinet/tcp_reass.c Wed Apr 30 04:02:36 2014
(r265120)
+++ head/sys/netinet/tcp_reass.c Wed Apr 30 04:02:57 2014
(r265121)
@@ -194,7 +194,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -217,7 +217,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt ||
!TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -265,7 +265,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
