aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2014-04-30 04:05:47 +0000
committerXin LI <delphij@FreeBSD.org>2014-04-30 04:05:47 +0000
commitae2b78f369926d94ebe37f6c6320a5dc5dbb1d0d (patch)
tree7429ad4d2bcb1f44b731758f96bed62f5fff1d8c
parentd1a5b5c5bf5787b84787e86a78720390bb3f6ba1 (diff)
downloadsrc-ae2b78f369926d94ebe37f6c6320a5dc5dbb1d0d.tar.gz
src-ae2b78f369926d94ebe37f6c6320a5dc5dbb1d0d.zip
Fix TCP reassembly vulnerability.
Security: FreeBSD-SA-14:08.tcp Security: CVE-2014-3000 Approved by: so
Notes
Notes: svn path=/releng/9.1/; revision=265125
-rw-r--r--UPDATING4
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/netinet/tcp_reass.c7
3 files changed, 9 insertions, 4 deletions
diff --git a/UPDATING b/UPDATING
index fb6a5c9a502c..fb1410e1c9c9 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,10 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20140430: p12 FreeBSD-SA-14:08.tcp
+
+ Fix TCP reassembly vulnerability. [SA-14:08]
+
20140408: p11 FreeBSD-SA-14:05.nfsserver
FreeBSD-SA-14:06.openssl
Fix deadlock in the NFS server. [SA-14:05]
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 52a67fc0c868..7b1e34d83745 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.1"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index f762dfd65734..1a1f17d6dc3a 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data