diff options
author | delphij <delphij@FreeBSD.org> | 2014-04-30 04:02:57 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2014-04-30 04:02:57 +0000 |
commit | 4007fe7eae5574db18b61b2a75b9c0fdbc26b1f9 (patch) | |
tree | 2755b95788dea0746efc6cbb1e077b5ff6c58201 | |
parent | 7e64659205e21c5bb172747f4b23e09970b9717f (diff) | |
download | FreeBSD-src-4007fe7eae5574db18b61b2a75b9c0fdbc26b1f9.zip FreeBSD-src-4007fe7eae5574db18b61b2a75b9c0fdbc26b1f9.tar.gz |
Fix TCP reassembly vulnerability.
Patch done by: glebius
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
-rw-r--r-- | sys/netinet/tcp_reass.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 43153c8..a8ec39c 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -194,7 +194,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -217,7 +217,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -265,7 +265,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data |