Author: delphij
Date: Tue Jul 21 23:42:20 2015
New Revision: 285779
URL: https://svnweb.freebsd.org/changeset/base/285779
Log:
Fix resource exhaustion due to sessions stuck in LAST_ACK state.
Security: CVE-2015-5358
Security: SA-15:13.tcp
Submitted by: Jonathan Looney (Juniper SIRT)
Reviewed by: lstewart
Modified:
stable/9/sys/netinet/tcp_output.c
Changes in other areas also in this revision:
Modified:
stable/8/sys/netinet/tcp_output.c
Modified: stable/9/sys/netinet/tcp_output.c
==============================================================================
--- stable/9/sys/netinet/tcp_output.c Tue Jul 21 23:42:17 2015
(r285778)
+++ stable/9/sys/netinet/tcp_output.c Tue Jul 21 23:42:20 2015
(r285779)
@@ -397,7 +397,7 @@ after_sack_rexmit:
flags &= ~TH_FIN;
}
- if (len < 0) {
+ if (len <= 0) {
/*
* If FIN has been sent but not acked,
* but we haven't been called to retransmit,
@@ -407,9 +407,16 @@ after_sack_rexmit:
* to (closed) window, and set the persist timer
* if it isn't already going. If the window didn't
* close completely, just wait for an ACK.
+ *
+ * We also do a general check here to ensure that
+ * we will set the persist timer when we have data
+ * to send, but a 0-byte window. This makes sure
+ * the persist timer is set even if the packet
+ * hits one of the "goto send" lines below.
*/
len = 0;
- if (sendwin == 0) {
+ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ (off < (int) so->so_snd.sb_cc)) {
tcp_timer_activate(tp, TT_REXMT, 0);
tp->t_rxtshift = 0;
tp->snd_nxt = tp->snd_una;
_______________________________________________
svn-src-stable-9@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-stable-9
To unsubscribe, send any mail to "svn-src-stable-9-unsubscr...@freebsd.org"
