Re: Recent full disclosure post - Local DOS
On 01/28/2011 01:27 PM, John Baldwin wrote:
> On Friday, January 28, 2011 12:38:22 pm Tom Judge wrote:
>> On 01/28/2011 11:09 AM, John Baldwin wrote:
>>> On Friday, January 28, 2011 11:08:37 am Tom Judge wrote:
>>>> On 01/28/2011 08:29 AM, Tom Judge wrote:
>>>>>
>>>>> Has anyone looked at this:
>>>>>
>>>>> [Full-disclosure] FreeBSD local denial of service - forced reboot
>>>>>
>>>>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-
>>> January/078836.html
>>>>>
<SNIP>
>>
>> Hi John,
>>
>> I can't repeat this with the code you sent. I tried this in a while (1)
>> loop and had 4 instances running without issue.
>
> Humm. That is the only setsockopt for TCP that can trigger a call to
> tcp_output().
>
Hi John,
I have just updated my test box to r218019.
Without your patch the issue is still present.
With your patch it seems to be fine (It passed 100 iterations of the
code in the post).
Tom
> I have a possible fix I'm just not sure if it is completely correct:
>
> Index: tcp_usrreq.c
> ===================================================================
> --- tcp_usrreq.c (revision 218018)
> +++ tcp_usrreq.c (working copy)
> @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s
> tp->t_flags |= TF_NOPUSH;
> else {
> tp->t_flags &= ~TF_NOPUSH;
> - error = tcp_output(tp);
> + if (TCPS_HAVEESTABLISHED(tp->t_state))
> + error = tcp_output(tp);
> }
> INP_WUNLOCK(inp);
> break;
>
--
TJU13-ARIN
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 9 之 12 篇):