Re: CVE Request -- kernel: tcp: drop SYN+FIN messages

[Stefan Behte <craig () gentoo org>]

Hi,

I'm writing because the patch is missing something; in
http://git.kernel.org/?p=linux/kernel/git/davem/net-next.git;a=commitdiff;h=fdf5af0daf8019cec2396cdef8fb042d80fe71fa
the issue was fixed for SYN-FIN, but IMHO it's still open für SYN-PSH
and SYN-URG.

# Victim:
Locally, I ran:
ab2 -n 10000 -c 100 http://localhost/
The performance was about 4500 requests/s

# Attacker:
iptables -A OUTPUT -d ${VICTIM} -p tcp --dport 80 --tcp-flags
SYN,ACK,RST RST -j DROP
I modified synful.c to send SYN-FIN: this results in no open SYN_RECV
states on the victim, the ab2 benchmark performs as usual.

However, sending SYN+URG causes a immediate increase of SYN_RECV to 256
and ab2 won't even finish, only very few requests succeed.

Enabling tcp_syncookies is an immediate fix, though.

So my question is: isn't this the same thing as CVE-2012-2663? If so,
this works for me:

--- a/net/ipv4/tcp_input.c      2012-06-02 14:16:16.720034382 +0200
+++ b/net/ipv4/tcp_input.c      2012-06-02 14:16:53.337038807 +0200
@@ -5864,6 +5864,10 @@
                if (th->syn) {
                        if (th->fin)
                                goto discard;
+                       if (th->urg)
+                               goto discard;
+                       if (th->psh)
+                               goto discard;
                        if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
                                return 1;

References:
http://markmail.org/thread/fbfyuiugtfyx6pl4#query:+page:1+mid:fbfyuiugtfyx6pl4+state:results
http://www.spinics.net/lists/netfilter-devel/msg21245.html
http://www.spinics.net/lists/netfilter-devel/msg21248.html
https://bugzilla.redhat.com/show_bug.cgi?id=826702
http://www.securityfocus.com/bid/53733/info ("Vulnerable" list is wrong
btw.)

Best regards,

Stefan Behte