Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 05/01/14 12:38, Ronald F. Guilmette wrote:
> I also have a question....
> 
> If one manages a system where (a) all local user accounts are
> completely and 100% trustworthy and where (b) one has in place ipfw
> rules which reject all incoming packet *fragments* on all
> outward-facing interfaces, then is this security problem (relating
> to the reassembly queue) an issue at all for said system?  Or is it
> rather a non-event in such contexts?

(a) doesn't matter, systems with only root user can be affected if they
provide TCP service.

(b) I'm not 100% sure on ipfw details (haven't used it for ~10 years
now) but IP fragmentation itself have nothing to do with this issue
since it's a different layer.  Assuming you can't do TCP reassemble
with ipfw, it's still a problem.

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCgAGBQJTY86uAAoJEJW2GBstM+nsz9QQAI33s2CPVNuk1sWZ+OTdmIK9
2lDgJcVCRkDgX0MXph1CPO0NGkrXs8M7Ct3UtP91gagkkwiEZ6zO7jWK81GrEaNC
zBbYUyazWUx37mPUzLHf06a0NnvLFKLkJZZMrXfxYlX/BwFArAzsXY0i+JiGzKe3
Yd686PE2k4HU2RdGzm6H0T4eN5TJgNVb0AD4LIsvFfRcNUlqB0E+wrUrMeX6mmbi
3D1RnSjmD4SV5kFsvgiE3DVpTujwcfyYOQeJyEA7GTaBx/ZNHUI1GOCkCJ34SKzW
5qHwOKwFBPTmiFCmFxALrGv9cHM4M5iykvAqdbAM3tuPyQIUBVRLBCH/BtjzIj6n
tV6a7kHVNYamY8HDL3B9BLb/9EtVVNJxPLWWnOwpnhTrxBj79oxe+DCXZPCpYiy6
Od9ljRgS2GozsA0poUo3GNO7zr+mkegLVvg++GuZN2tIsOqWHhKDNQrzOxc27TP0
OHfQXkU6k34SgcVyfjSRKXUdt6ZCJ66FCZHZA7NpxDk2gyuFrYUiFXEJh90qs9QD
AUpXXEznNnId+OMEnwiCb5t+4o7TvMsra0XaZfS9+Q87U0owKUT0jOBt054QYtsn
IkyiyyjjB1xWtxgICuuBwK9B7D75D4if6z68pkHUsd5jptO84S7auXF1qTYlonPC
LG+xvLDPTbXErzcpK+om
=zQbC
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"