oss-sec mailing list archives

CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations

From: Marcus Meissner <meissner () suse de>
Date: Fri, 3 Feb 2012 11:37:06 +0100

Hi,

After a customer query likely coming from erroneous Security Scanner output,

this issue from 2002 has no CVE id yet as far as I see:

http://www.kb.cert.org/vuls/id/464113

It describes a problem where firewalls might let some TCP flags combinations
pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn
accept a TCP session it might not have accepted otherwise.

The protection added in Linux 2.4.20 is checking for the RST (reset) flag
when a SYN packet is received, which was I think the main attack scenario.

The relevant part of the 2.4.20 patch is:

@@ -3667,6 +3693,9 @@
                if(th->ack)
                        return 1;

+               if(th->rst)
+                       goto discard;
+
                if(th->syn) {
                        if(tp->af_specific->conn_request(sk, skb) < 0)
                                return 1;


The check still exists in current mainline git, so the issue is still fixed.

Ciao, Marcus

Current thread:

CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations Marcus Meissner (Feb 03)
- Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations Kurt Seifried (Feb 03)