oss-sec mailing list archives
Re: CVE Request -- kernel: tcp: drop SYN+FIN messages
From: Stefan Behte <craig () gentoo org>
Date: Sat, 02 Jun 2012 14:34:47 +0200
Hi, I'm writing because the patch is missing something; in http://git.kernel.org/?p=linux/kernel/git/davem/net-next.git;a=commitdiff;h=fdf5af0daf8019cec2396cdef8fb042d80fe71fa the issue was fixed for SYN-FIN, but IMHO it's still open für SYN-PSH and SYN-URG. # Victim: Locally, I ran: ab2 -n 10000 -c 100 http://localhost/ The performance was about 4500 requests/s # Attacker: iptables -A OUTPUT -d ${VICTIM} -p tcp --dport 80 --tcp-flags SYN,ACK,RST RST -j DROP I modified synful.c to send SYN-FIN: this results in no open SYN_RECV states on the victim, the ab2 benchmark performs as usual. However, sending SYN+URG causes a immediate increase of SYN_RECV to 256 and ab2 won't even finish, only very few requests succeed. Enabling tcp_syncookies is an immediate fix, though. So my question is: isn't this the same thing as CVE-2012-2663? If so, this works for me: --- a/net/ipv4/tcp_input.c 2012-06-02 14:16:16.720034382 +0200 +++ b/net/ipv4/tcp_input.c 2012-06-02 14:16:53.337038807 +0200 @@ -5864,6 +5864,10 @@ if (th->syn) { if (th->fin) goto discard; + if (th->urg) + goto discard; + if (th->psh) + goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; References: http://markmail.org/thread/fbfyuiugtfyx6pl4#query:+page:1+mid:fbfyuiugtfyx6pl4+state:results http://www.spinics.net/lists/netfilter-devel/msg21245.html http://www.spinics.net/lists/netfilter-devel/msg21248.html https://bugzilla.redhat.com/show_bug.cgi?id=826702 http://www.securityfocus.com/bid/53733/info ("Vulnerable" list is wrong btw.) Best regards, Stefan Behte
Current thread:
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages, (continued)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 08)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)