Author: glebius
Date: Thu Jan 14 10:22:45 2016
New Revision: 293910
URL: https://svnweb.freebsd.org/changeset/base/293910
Log:
There is a bug in tcp_output()'s implementation of the TCP_SIGNATURE
(RFC 2385/TCP-MD5) kernel option.
If a tcpcb has TF_NOOPT flag, then tcp_addoptions() is not called,
and to.to_signature is an uninitialized stack variable. The value
is later used as write offset, which leads to writing to random
address.
Submitted by: rstone, jtl
Security: SA-16:05.tcp
Modified:
head/sys/netinet/tcp_output.c
Modified: head/sys/netinet/tcp_output.c
==============================================================================
--- head/sys/netinet/tcp_output.c Thu Jan 14 10:16:25 2016
(r293909)
+++ head/sys/netinet/tcp_output.c Thu Jan 14 10:22:45 2016
(r293910)
@@ -752,8 +752,8 @@ send:
* segments. Options for SYN-ACK segments are handled in TCP
* syncache.
*/
+ to.to_flags = 0;
if ((tp->t_flags & TF_NOOPT) == 0) {
- to.to_flags = 0;
/* Maximum segment size. */
if (flags & TH_SYN) {
tp->snd_nxt = tp->iss;
@@ -1233,7 +1233,7 @@ send:
tp->snd_up = tp->snd_una; /* drag it along */
#ifdef TCP_SIGNATURE
- if (tp->t_flags & TF_SIGNATURE) {
+ if (to.to_flags & TOF_SIGNATURE) {
int sigoff = to.to_signature - opt;
tcp_signature_compute(m, 0, len, optlen,
(u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
@@ -1713,6 +1713,7 @@ tcp_addoptions(struct tcpopt *to, u_char
bcopy((u_char *)&to->to_tsecr, optp,
sizeof(to->to_tsecr));
optp += sizeof(to->to_tsecr);
break;
+#ifdef TCP_SIGNATURE
case TOF_SIGNATURE:
{
int siglen = TCPOLEN_SIGNATURE - 2;
@@ -1731,6 +1732,7 @@ tcp_addoptions(struct tcpopt *to, u_char
*optp++ = 0;
break;
}
+#endif
case TOF_SACK:
{
int sackblks = 0;
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"
