> If I remember correctly this particular patch is fairly straightforward.
> If you put together a patch set for the release branch I do have two
> test machines running the release to make sure it doesn't blow anything
> up. I wouldn't know how to test for the specific security hole but I
> don't expect that it would operate any differently from HEAD.
Below is the patch against FreeBSD-SA-05:15.tcp for DragonFly_RELEASE_1_2.
The DragonFlyBSD kernel Rel 1.2 with this patch can be built on
my DragonFlyBSD HEAD machine. Could you test this patch on your
Rel 1.2 machines?
If I can login to one of patched Rel 1.2 machines using SSH for
a moment, I can test whether the patch works correctly by using
the TCP connection of SSH session.
Thanks.
Regards,
Noritoshi Demizu
Index: tcp_input.c
===================================================================
RCS file: /home/cvsup/DragonFlyBSD/dcvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.58
diff -u -r1.58 tcp_input.c
--- tcp_input.c 23 Mar 2005 08:02:46 -0000 1.58
+++ tcp_input.c 2 Sep 2005 06:33:29 -0000
@@ -1073,7 +1073,7 @@
* XXX this is tradtitional behavior, may need to be cleaned up.
*/
tcp_dooptions(&to, optp, optlen, (thflags & TH_SYN) != 0);
- if (thflags & TH_SYN) {
+ if (tp->t_state == TCPS_SYN_SENT && (thflags & TH_SYN)) {
if (to.to_flags & TOF_SCALE) {
tp->t_flags |= TF_RCVD_SCALE;
tp->requested_s_scale = to.to_requested_s_scale;
@@ -1790,10 +1790,25 @@
/*
* If last ACK falls within this segment's sequence numbers,
* record its timestamp.
- * NOTE that the test is modified according to the latest
- * proposal of the [EMAIL PROTECTED] list (Braden 1993/04/26).
- */
- if ((to.to_flags & TOF_TS) && SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
+ * NOTE:
+ * 1) That the test incorporates suggestions from the latest
+ * proposal of the [EMAIL PROTECTED] list (Braden 1993/04/26).
+ * 2) That updating only on newer timestamps interferes with
+ * our earlier PAWS tests, so this check should be solely
+ * predicated on the sequence space of this segment.
+ * 3) That we modify the segment boundary check to be
+ * Last.ACK.Sent <= SEG.SEQ + SEG.LEN
+ * instead of RFC1323's
+ * Last.ACK.Sent < SEG.SEQ + SEG.LEN,
+ * This modified check allows us to overcome RFC1323's
+ * limitations as described in Stevens TCP/IP Illustrated
+ * Vol. 2 p.869. In such cases, we can still calculate the
+ * RTT correctly when RCV.NXT == Last.ACK.Sent.
+ */
+ if ((to.to_flags & TOF_TS) && SEQ_LEQ(th->th_seq, tp->last_ack_sent) &&
+ SEQ_LEQ(tp->last_ack_sent, (th->th_seq + tlen
+ + ((thflags & TH_SYN) != 0)
+ + ((thflags & TH_FIN) != 0)))) {
tp->ts_recent_age = ticks;
tp->ts_recent = to.to_tsval;
}
@@ -2660,6 +2675,12 @@
to->to_tsval = ntohl(to->to_tsval);
bcopy(cp + 6, &to->to_tsecr, sizeof to->to_tsecr);
to->to_tsecr = ntohl(to->to_tsecr);
+ /*
+ * If echoed timestamp is later than the current time,
+ * fall back to non RFC1323 RTT calculation.
+ */
+ if (to->to_tsecr != 0 && TSTMP_GT(to->to_tsecr, ticks))
+ to->to_tsecr = 0;
break;
case TCPOPT_CC:
if (optlen != TCPOLEN_CC)
Index: tcp_seq.h
===================================================================
RCS file: /home/cvsup/DragonFlyBSD/dcvs/src/sys/netinet/tcp_seq.h,v
retrieving revision 1.7
diff -u -r1.7 tcp_seq.h
--- tcp_seq.h 21 Dec 2004 02:54:15 -0000 1.7
+++ tcp_seq.h 2 Sep 2005 06:33:29 -0000
@@ -111,6 +111,7 @@
/* for modulo comparisons of timestamps */
#define TSTMP_LT(a,b) ((int)((a)-(b)) < 0)
+#define TSTMP_GT(a,b) ((int)((a)-(b)) > 0)
#define TSTMP_GEQ(a,b) ((int)((a)-(b)) >= 0)
/*
