mbuf vulnerability
Darren Reed
avalon at caligula.anu.edu.au
Tue Mar 2 09:30:26 PST 2004
In some mail from Mike Silbersack, sie said:
> On Wed, 3 Mar 2004, Darren Reed wrote:
>
> > IPFilter v4 can prevent this attack with:
> >
> > pass in .. proto tcp ... keep state(strict)
>
> Nope, I just tested this. Well, I should say that it doesn't provide any
> protection with "keep state"... what does (strict) mean? The ipf in
> FreeBSD doesn't seem to support it.
Uh, what did you test and what did you test with ?
"strict" requires that the sequence number in packet n should match
what that sequence number of the last byte in packet n-1 - i.e. no
out of order delivery is permitted.
Darren
More information about the freebsd-security
mailing list