TCP SACK (CVE-2019-5599)
mike tancsa
mike at sentex.net
Tue Jun 18 14:33:13 UTC 2019
Hi all,
With respect to the bugs describe in
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
*<quote>
*
SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
*Description:* It is possible to send a crafted sequence of SACKs which
will fragment the RACK send map. An attacker may be able to further
exploit the fragmented send map to cause an expensive linked-list walk
for subsequent SACKs received for that same TCP connection.
*Workaround #1:* Apply the patch split_limit.patch
<https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001/split_limit.patch> and
set the |net.inet.tcp.rack.split_limit| sysctl to a reasonable value to
limit the size of the SACK table.
*Workaround #2:* Temporarily disable the RACK TCP stack.
(Note that either workaround should be sufficient on its own. It is not
necessary to apply both workarounds.)
*</quote>*
*How does I know if this is enabled in my default kernel on RELENG_12 ?
There is some vague mention in various forums this is not the default on
FreeBSD ? Can anyone shed more light as to how this does/does not impact
FreeBSD ?
*
*
*
* ---Mike
*
More information about the freebsd-security
mailing list