diff options
author | delphij <delphij@FreeBSD.org> | 2014-04-30 04:03:05 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2014-04-30 04:03:05 +0000 |
commit | acd73984630e6a51a8052a175ac5f2f1c5dfd085 (patch) | |
tree | c2e87c5609de4037ca9af52f1c2a4c50c4c7b4ec /sys/netinet | |
parent | 65035c2d373a589bbcff4d0443d3615d615ccd9d (diff) | |
download | FreeBSD-src-acd73984630e6a51a8052a175ac5f2f1c5dfd085.zip FreeBSD-src-acd73984630e6a51a8052a175ac5f2f1c5dfd085.tar.gz |
Fix devfs rules not applied by default for jails.
Fix OpenSSL use-after-free vulnerability.
Fix TCP reassembly vulnerability.
Security: FreeBSD-SA-14:07.devfs
Security: CVE-2014-3001
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/tcp_reass.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 5fd29b8..f0af825 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -205,7 +205,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -228,7 +228,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -276,7 +276,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data |