]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 312f49a) | patch
Tighten up reset handling in order to make reset attacks as difficult as
authorsilby <silby@FreeBSD.org>
Mon, 26 Apr 2004 02:56:31 +0000 (02:56 +0000)
committersilby <silby@FreeBSD.org>
Mon, 26 Apr 2004 02:56:31 +0000 (02:56 +0000)
commit051b00be736964ed5c26256aa18bbe6c68ff7922
tree8547bca0216e4f6983cf0489c681b37bfc557456tree | snapshot
parent312f49a25bec22bb547a39de59b639f0967847a5commit | diff
Tighten up reset handling in order to make reset attacks as difficult as
possible while maintaining compatibility with the widest range of TCP stacks.

The algorithm is as follows:

---
For connections in the ESTABLISHED state, only resets with
sequence numbers exactly matching last_ack_sent will cause a reset,
all other segments will be silently dropped.

For connections in all other states, a reset anywhere in the window
will cause the connection to be reset.  All other segments will be
silently dropped.
---

The necessity of accepting all in-window resets was discovered
by jayanth and jlemon, both of whom have seen TCP stacks that
will respond to FIN-ACK packets with resets not meeting the
strict last_ack_sent check.

Idea by:        Darren Reed
Reviewed by:    truckman, jlemon, others(?)
sys/netinet/tcp_input.c diff | blob | history
sys/netinet/tcp_reass.c diff | blob | history
sys/netinet/tcp_var.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.