aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-03-19 16:46:01 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-03-19 16:46:01 +0000
commit8274d878c0e1ee57563567e2ae8becf75f9143b1 (patch)
tree02d6b4333d42b5c01f596ed7a276729204ea6223
parent2db4f63add95a5ca5da93d61ccf8752248ef1f7e (diff)
downloadsrc-8274d878c0e1ee57563567e2ae8becf75f9143b1.tar.gz
src-8274d878c0e1ee57563567e2ae8becf75f9143b1.zip
Fix TCP IPv6 SYN cache kernel information disclosure.
Approved by: so Security: FreeBSD-SA-20:04.tcp Security: CVE-2020-7451
Notes
Notes: svn path=/releng/12.1/; revision=359138
-rw-r--r--sys/netinet/tcp_syncache.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 862374af8143..2532affa073f 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1728,7 +1728,8 @@ syncache_respond(struct syncache *sc, struct syncache_head *sch,
ip6->ip6_dst = sc->sc_inc.inc6_faddr;
ip6->ip6_plen = htons(tlen - hlen);
/* ip6_hlim is set after checksum */
- ip6->ip6_flow &= ~IPV6_FLOWLABEL_MASK;
+ /* Zero out traffic class and flow label. */
+ ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK;
ip6->ip6_flow |= sc->sc_flowlabel;
th = (struct tcphdr *)(ip6 + 1);