diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-98:01.land.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-98:01.land.asc | 219 |
1 files changed, 0 insertions, 219 deletions
diff --git a/share/security/advisories/FreeBSD-SA-98:01.land.asc b/share/security/advisories/FreeBSD-SA-98:01.land.asc deleted file mode 100644 index a6c29b2e3d..0000000000 --- a/share/security/advisories/FreeBSD-SA-98:01.land.asc +++ /dev/null @@ -1,219 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-98:01 Security Advisory - FreeBSD, Inc. - -Topic: LAND attack can cause harm to running FreeBSD systems - -Category: core -Module: kern -Announced: 1997-12-01 -Affects: FreeBSD 2.1.*, FreeBSD 2.2.0R, 2.2.1R, 2.2.5R - FreeBSD-stable and FreeBSD-current -Doesn't Affect: FreeBSD 2.2.2R -Corrected: FreeBSD 2.2.6R, FreeBSD-current as of Jan 21, 1998 - FreeBSD-stable as of Jan 30, 1998 -FreeBSD only: no - -Patches: ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:01/ - -============================================================================= -IMPORTANT MESSAGE: The FreeBSD advisory archive has moved from -ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/CERT -============================================================================= - -I. Background - - In most TCP stacks state is kept based on the source and - destination address of a packet received. - -II. Problem Description - - A problem exists in most FreeBSD derived stacks that allows a - malicious user to send a packet that causes the sytsem to lock - up, thus producing a denial of service attack. - -III. Impact - - Any person on the Internet who can send a FreeBSD machine a - packet can cause it to lock up and be taken out of service. - -IV. Workaround - - A firewall can be used to filter packets from the Internet that - appear to be from your local network. This will not eliminate - the threat, but will eliminate external attacks. - -V. Solution - - Apply the enclosed patch. There are two patches, one for FreeBSD - -current, and another for FreeBSD 2.2-stable. - - patch for -current prior to Jan 21, 1998. Found in land-current. - - Index: tcp_input.c - =================================================================== - RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v - retrieving revision 1.67 - retrieving revision 1.68 - diff -u -r1.67 -r1.68 - --- tcp_input.c 1997/12/19 23:46:15 1.67 - +++ tcp_input.c 1998/01/21 02:05:59 1.68 - @@ -626,6 +613,7 @@ - * If the state is LISTEN then ignore segment if it contains an RST. - * If the segment contains an ACK then it is bad and send a RST. - * If it does not contain a SYN then it is not interesting; drop it. - + * If it is from this socket, drop it, it must be forged. - * Don't bother responding if the destination was a broadcast. - * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial - * tp->iss, and send a segment: - @@ -644,6 +632,9 @@ - goto dropwithreset; - if ((tiflags & TH_SYN) == 0) - goto drop; - + if ((ti->ti_dport == ti->ti_sport) && - + (ti->ti_dst.s_addr == ti->ti_src.s_addr)) - + goto drop; - /* - * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN - * in_broadcast() should never return true on a received - @@ -762,6 +753,23 @@ - } - - /* - + * If the state is SYN_RECEIVED: - + * if seg contains SYN/ACK, send a RST. - + * if seg contains an ACK, but not for our SYN/ACK, send a RST. - + */ - + case TCPS_SYN_RECEIVED: - + if (tiflags & TH_ACK) { - + if (tiflags & TH_SYN) { - + tcpstat.tcps_badsyn++; - + goto dropwithreset; - + } - + if (SEQ_LEQ(ti->ti_ack, tp->snd_una) || - + SEQ_GT(ti->ti_ack, tp->snd_max)) - + goto dropwithreset; - + } - + break; - + - + /* - * If the state is SYN_SENT: - * if seg contains an ACK, but not for our SYN, drop the input. - * if seg contains a RST, then drop the connection. - @@ -1176,14 +1184,11 @@ - switch (tp->t_state) { - - /* - - * In SYN_RECEIVED state if the ack ACKs our SYN then enter - - * ESTABLISHED state and continue processing, otherwise - - * send an RST. - + * In SYN_RECEIVED state, the ack ACKs our SYN, so enter - + * ESTABLISHED state and continue processing. - + * The ACK was checked above. - */ - case TCPS_SYN_RECEIVED: - - if (SEQ_GT(tp->snd_una, ti->ti_ack) || - - SEQ_GT(ti->ti_ack, tp->snd_max)) - - goto dropwithreset; - - tcpstat.tcps_connects++; - soisconnected(so); - - patch for 2.2.5 and 2.2.5-stable before Jan 30, 1998 found in land-22 - - Index: tcp_input.c - =================================================================== - RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v - retrieving revision 1.54.2.6 - retrieving revision 1.54.2.7 - diff -u -r1.54.2.6 -r1.54.2.7 - --- tcp_input.c 1997/11/20 21:45:34 1.54.2.6 - +++ tcp_input.c 1998/01/30 19:13:55 1.54.2.7 - @@ -627,6 +614,7 @@ - * If the state is LISTEN then ignore segment if it contains an RST. - * If the segment contains an ACK then it is bad and send a RST. - * If it does not contain a SYN then it is not interesting; drop it. - + * If it is from this socket, drop it, it must be forged. - * Don't bother responding if the destination was a broadcast. - * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial - * tp->iss, and send a segment: - @@ -646,6 +634,9 @@ - goto dropwithreset; - if ((tiflags & TH_SYN) == 0) - goto drop; - + if ((ti->ti_dport == ti->ti_sport) && - + (ti->ti_dst.s_addr == ti->ti_src.s_addr)) - + goto drop; - /* - * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN - * in_broadcast() should never return true on a received - @@ -765,6 +756,23 @@ - } - - /* - + * If the state is SYN_RECEIVED: - + * if seg contains SYN/ACK, send a RST. - + * if seg contains an ACK, but not for our SYN/ACK, send a RST. - + */ - + case TCPS_SYN_RECEIVED: - + if (tiflags & TH_ACK) { - + if (tiflags & TH_SYN) { - + tcpstat.tcps_badsyn++; - + goto dropwithreset; - + } - + if (SEQ_LEQ(ti->ti_ack, tp->snd_una) || - + SEQ_GT(ti->ti_ack, tp->snd_max)) - + goto dropwithreset; - + } - + break; - + - + /* - * If the state is SYN_SENT: - * if seg contains an ACK, but not for our SYN, drop the input. - * if seg contains a RST, then drop the connection. - @@ -1179,14 +1187,11 @@ - switch (tp->t_state) { - - /* - - * In SYN_RECEIVED state if the ack ACKs our SYN then enter - - * ESTABLISHED state and continue processing, otherwise - - * send an RST. - + * In SYN_RECEIVED state, the ack ACKs our SYN, so enter - + * ESTABLISHED state and continue processing. - + * The ACK was checked above. - */ - case TCPS_SYN_RECEIVED: - - if (SEQ_GT(tp->snd_una, ti->ti_ack) || - - SEQ_GT(ti->ti_ack, tp->snd_max)) - - goto dropwithreset; - - tcpstat.tcps_connects++; - soisconnected(so); - - -============================================================================= -FreeBSD, Inc. - -Web Site: http://www.freebsd.org/ -Confidential contacts: security-officer@freebsd.org -PGP Key: ftp://ftp.freebsd.org/pub/CERT/public_key.asc -Security notifications: security-notifications@freebsd.org -Security public discussion: security@freebsd.org - -Notice: Any patches in this document may not apply cleanly due to - modifications caused by digital signature or mailer software. - Please reference the URL listed at the top of this document - for original copies of all patches if necessary. -============================================================================= - ------BEGIN PGP SIGNATURE----- -Version: 2.6.2 - -iQCVAwUBNQg21FUuHi5z0oilAQFsYAP/TSdBmRb90H9/JqCvM/7pn1FOngoJgLPV -GzEBEKe1cbeY5tOY/rCLPVX3g+JjRjPFkMICaTYk0JdFEO29CLhw5qoX/OAm4M+M -erMJvXUJ3SPaEAEgK7zh5c73t9I4573Rbp1IxU3uZiqVSc3myJxCtFa4ZW2O6zkm -G57fsHlGRKo= -=4fC3 ------END PGP SIGNATURE----- |