diff options
author | delphij <delphij@FreeBSD.org> | 2015-07-21 23:42:56 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2015-07-21 23:42:56 +0000 |
commit | c5ab052a5dab0168f1cd53cca4729f5836d78e11 (patch) | |
tree | cd0dab44830b51f1786e8f3ba3fadc4b15dceb3c | |
parent | 86de4e292591c4ca331549b0f6fa0436ecbc5252 (diff) | |
download | FreeBSD-src-c5ab052a5dab0168f1cd53cca4729f5836d78e11.zip FreeBSD-src-c5ab052a5dab0168f1cd53cca4729f5836d78e11.tar.gz |
Fix resource exhaustion due to sessions stuck in LAST_ACK state.
Security: CVE-2015-5358
Security: SA-15:13.tcp
Submitted by: Jonathan Looney (Juniper SIRT)
Approved by: so
-rw-r--r-- | UPDATING | 5 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | sys/netinet/tcp_output.c | 11 |
3 files changed, 15 insertions, 3 deletions
@@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20150721: p15 FreeBSD-SA-15:13.tcp + + Fix resource exhaustion due to sessions stuck in LAST_ACK state. + [SA-15:13] + 20150630: p14 FreeBSD-EN-15:08.sendmail [revised] FreeBSD-EN-15:09.xlocale FreeBSD-EN-15:10.iconv diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index ee08f5e..ea52fea 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 8c97c12..9c8dea7 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -400,7 +400,7 @@ after_sack_rexmit: flags &= ~TH_FIN; } - if (len < 0) { + if (len <= 0) { /* * If FIN has been sent but not acked, * but we haven't been called to retransmit, @@ -410,9 +410,16 @@ after_sack_rexmit: * to (closed) window, and set the persist timer * if it isn't already going. If the window didn't * close completely, just wait for an ACK. + * + * We also do a general check here to ensure that + * we will set the persist timer when we have data + * to send, but a 0-byte window. This makes sure + * the persist timer is set even if the packet + * hits one of the "goto send" lines below. */ len = 0; - if (sendwin == 0) { + if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) && + (off < (int) so->so_snd.sb_cc)) { tcp_timer_activate(tp, TT_REXMT, 0); tp->t_rxtshift = 0; tp->snd_nxt = tp->snd_una; |