FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
Kristof Provost
kp at FreeBSD.org
Thu Aug 16 12:58:14 UTC 2018
On 15 Aug 2018, at 15:25, Alexandr Krivulya wrote:
> Hi, freebsd-security
>
> Can CVE-2018-6922 be addressed by pf's fragment reassemble and
> reassemble tcp options or can it potentially lead to memory overflow
> (set limit frags?) when this options enabled?
>
No. While pf does limit the maximum number of IP fragments it’ll hold
on to, this number is large enough that it’s still possible to cause
the it to use excessive amounts of CPU time.
pf does not reassemble tcp segments, so it won’t protect you agains
that variant of the attack. The good news there is that it is not itself
vulnerable to it (for the same reason).
I’m looking into limiting the number of fragments per packet to ensure
there can’t be excessive CPU use, but that’s not ready to be
committed yet.
—
Kristof
More information about the freebsd-security
mailing list