cvs commit: src/sys/netinet tcp_input.c tcp_var.h
Mike Silbersack
silby at FreeBSD.org
Sun Apr 25 19:56:32 PDT 2004
silby 2004/04/25 19:56:31 PDT
FreeBSD src repository
Modified files:
sys/netinet tcp_input.c tcp_var.h
Log:
Tighten up reset handling in order to make reset attacks as difficult as
possible while maintaining compatibility with the widest range of TCP stacks.
The algorithm is as follows:
---
For connections in the ESTABLISHED state, only resets with
sequence numbers exactly matching last_ack_sent will cause a reset,
all other segments will be silently dropped.
For connections in all other states, a reset anywhere in the window
will cause the connection to be reset. All other segments will be
silently dropped.
---
The necessity of accepting all in-window resets was discovered
by jayanth and jlemon, both of whom have seen TCP stacks that
will respond to FIN-ACK packets with resets not meeting the
strict last_ack_sent check.
Idea by: Darren Reed
Reviewed by: truckman, jlemon, others(?)
Revision Changes Path
1.235 +10 -0 src/sys/netinet/tcp_input.c
1.105 +1 -0 src/sys/netinet/tcp_var.h
More information about the cvs-src
mailing list