From 9c5d2006e1a7628d0c44eadbb53119191c5c4015 Mon Sep 17 00:00:00 2001 From: delphij Date: Wed, 30 Apr 2014 04:05:47 +0000 Subject: [PATCH] Fix TCP reassembly vulnerability. Security: FreeBSD-SA-14:08.tcp Security: CVE-2014-3000 Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.2@265125 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 4 ++++ sys/conf/newvers.sh | 2 +- sys/netinet/tcp_reass.c | 7 ++++--- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/UPDATING b/UPDATING index 991238cf..d7708a10 100644 --- a/UPDATING +++ b/UPDATING @@ -11,6 +11,10 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140430: p5 FreeBSD-SA-14:08.tcp + + Fix TCP reassembly vulnerability. [SA-14:08] + 20140408: p4 FreeBSD-SA-14:05.nfsserver FreeBSD-SA-14:06.openssl Fix deadlock in the NFS server. [SA-14:05] diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index bf468c47..ad61dbd9 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.2" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 5fd29b83..f0af825a 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -205,7 +205,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) * Investigate why and re-evaluate the below limit after the behaviour * is understood. */ - if (th->th_seq != tp->rcv_nxt && + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { V_tcp_reass_overflows++; TCPSTAT_INC(tcps_rcvmemdrop); @@ -228,7 +228,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) */ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); if (te == NULL) { - if (th->th_seq != tp->rcv_nxt) { + if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) { TCPSTAT_INC(tcps_rcvmemdrop); m_freem(m); *tlenp = 0; @@ -276,7 +276,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m) TCPSTAT_INC(tcps_rcvduppack); TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp); m_freem(m); - uma_zfree(V_tcp_reass_zone, te); + if (te != &tqs) + uma_zfree(V_tcp_reass_zone, te); tp->t_segqlen--; /* * Try to present any queued data -- 2.45.0