If memory serves me right, Don Lewis wrote: > Back in December 1997, I posted the following patch for the LAND attack > and also implemented stricter RST validation. The variation of the > LAND fix in the first two chunks of this patch was implemented (you'll > have to look carefully at the code to find the second chunk), but I don't > believe the rest of the fixes in this patch were applied. > > I've been running a version of this patch altered for 2.1.x since December > without problems. If you remove the first two chunks of this patch, it > will apply cleanly to the 2.2-stable version of tcp_input.c, though I have > no idea if it will work ... [snip] Personally, I had something a little less radical in mind. Here's some context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to security-officerat_private last night after some quick testing. Now someone can tell me why this isn't the right solution. :-) Bruce. -----8<-----snip-----8<----- *** tcp_input.c-dist Mon May 18 10:12:44 1998 --- tcp_input.c Sun Aug 30 21:22:32 1998 *************** *** 809,815 **** goto dropwithreset; } if (tiflags & TH_RST) { ! if (tiflags & TH_ACK) tp = tcp_drop(tp, ECONNREFUSED); goto drop; } --- 809,818 ---- goto dropwithreset; } if (tiflags & TH_RST) { ! if ((tiflags & TH_ACK) && ! /* XXX outside window? XXX */ ! (SEQ_GT(ti->ti_ack, tp->iss) && ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) tp = tcp_drop(tp, ECONNREFUSED); goto drop; } *************** *** 1147,1152 **** --- 1150,1159 ---- case TCPS_FIN_WAIT_1: case TCPS_FIN_WAIT_2: case TCPS_CLOSE_WAIT: + /* XXX outside window? XXX */ + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) || + SEQ_LT(ti->ti_seq, tp->rcv_nxt)) + goto drop; so->so_error = ECONNRESET; close: tp->t_state = TCPS_CLOSED;
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:28 PDT