svn commit: r285780 - in releng: 10.1 10.1/sys/conf 10.1/sys/netinet 8.4 8.4/sys/conf 8.4/sys/netinet 9.3 9.3/sys/conf 9.3/sys/netinet

Xin LI delphij at FreeBSD.org
Tue Jul 21 23:43:00 UTC 2015 

Author: delphij
Date: Tue Jul 21 23:42:56 2015
New Revision: 285780
URL: https://svnweb.freebsd.org/changeset/base/285780

Log:
  Fix resource exhaustion due to sessions stuck in LAST_ACK state.
  
  Security:	CVE-2015-5358
  Security:	SA-15:13.tcp
  Submitted by:	Jonathan Looney (Juniper SIRT)
  Approved by:	so

Modified:
  releng/10.1/UPDATING
  releng/10.1/sys/conf/newvers.sh
  releng/10.1/sys/netinet/tcp_output.c
  releng/8.4/UPDATING
  releng/8.4/sys/conf/newvers.sh
  releng/8.4/sys/netinet/tcp_output.c
  releng/9.3/UPDATING
  releng/9.3/sys/conf/newvers.sh
  releng/9.3/sys/netinet/tcp_output.c

Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/10.1/UPDATING	Tue Jul 21 23:42:56 2015	(r285780)
@@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20150721:	p15	FreeBSD-SA-15:13.tcp
+
+	Fix resource exhaustion due to sessions stuck in LAST_ACK state.
+	[SA-15:13]
+
 20150630:	p14	FreeBSD-EN-15:08.sendmail [revised]
 			FreeBSD-EN-15:09.xlocale
 			FreeBSD-EN-15:10.iconv

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/10.1/sys/conf/newvers.sh	Tue Jul 21 23:42:56 2015	(r285780)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.1/sys/netinet/tcp_output.c
==============================================================================
--- releng/10.1/sys/netinet/tcp_output.c	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/10.1/sys/netinet/tcp_output.c	Tue Jul 21 23:42:56 2015	(r285780)
@@ -400,7 +400,7 @@ after_sack_rexmit:
 		flags &= ~TH_FIN;
 	}
 
-	if (len < 0) {
+	if (len <= 0) {
 		/*
 		 * If FIN has been sent but not acked,
 		 * but we haven't been called to retransmit,
@@ -410,9 +410,16 @@ after_sack_rexmit:
 		 * to (closed) window, and set the persist timer
 		 * if it isn't already going.  If the window didn't
 		 * close completely, just wait for an ACK.
+		 *
+		 * We also do a general check here to ensure that
+		 * we will set the persist timer when we have data
+		 * to send, but a 0-byte window. This makes sure
+		 * the persist timer is set even if the packet
+		 * hits one of the "goto send" lines below.
 		 */
 		len = 0;
-		if (sendwin == 0) {
+		if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+			(off < (int) so->so_snd.sb_cc)) {
 			tcp_timer_activate(tp, TT_REXMT, 0);
 			tp->t_rxtshift = 0;
 			tp->snd_nxt = tp->snd_una;

Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/8.4/UPDATING	Tue Jul 21 23:42:56 2015	(r285780)
@@ -15,6 +15,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20150721:	p34	FreeBSD-SA-15:13.tcp
+
+	Fix resource exhaustion due to sessions stuck in LAST_ACK state.
+	[SA-15:13]
+
 20150707:	p33	FreeBSD-SA-15:11.bind
 	Fix BIND resolver remote denial of service when validating.
 

Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/8.4/sys/conf/newvers.sh	Tue Jul 21 23:42:56 2015	(r285780)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.4"
-BRANCH="RELEASE-p33"
+BRANCH="RELEASE-p34"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.4/sys/netinet/tcp_output.c
==============================================================================
--- releng/8.4/sys/netinet/tcp_output.c	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/8.4/sys/netinet/tcp_output.c	Tue Jul 21 23:42:56 2015	(r285780)
@@ -398,7 +398,7 @@ after_sack_rexmit:
 		flags &= ~TH_FIN;
 	}
 
-	if (len < 0) {
+	if (len <= 0) {
 		/*
 		 * If FIN has been sent but not acked,
 		 * but we haven't been called to retransmit,
@@ -408,9 +408,16 @@ after_sack_rexmit:
 		 * to (closed) window, and set the persist timer
 		 * if it isn't already going.  If the window didn't
 		 * close completely, just wait for an ACK.
+		 *
+		 * We also do a general check here to ensure that
+		 * we will set the persist timer when we have data
+		 * to send, but a 0-byte window. This makes sure
+		 * the persist timer is set even if the packet
+		 * hits one of the "goto send" lines below.
 		 */
 		len = 0;
-		if (sendwin == 0) {
+		if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+			(off < (int) so->so_snd.sb_cc)) {
 			tcp_timer_activate(tp, TT_REXMT, 0);
 			tp->t_rxtshift = 0;
 			tp->snd_nxt = tp->snd_una;

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/9.3/UPDATING	Tue Jul 21 23:42:56 2015	(r285780)
@@ -11,6 +11,11 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20150721:	p20	FreeBSD-SA-15:13.tcp
+
+	Fix resource exhaustion due to sessions stuck in LAST_ACK state.
+	[SA-15:13]
+
 20150707:	p19	FreeBSD-SA-15:11.bind
 	Fix BIND resolver remote denial of service when validating.
 

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/9.3/sys/conf/newvers.sh	Tue Jul 21 23:42:56 2015	(r285780)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p19"
+BRANCH="RELEASE-p20"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/sys/netinet/tcp_output.c
==============================================================================
--- releng/9.3/sys/netinet/tcp_output.c	Tue Jul 21 23:42:20 2015	(r285779)
+++ releng/9.3/sys/netinet/tcp_output.c	Tue Jul 21 23:42:56 2015	(r285780)
@@ -397,7 +397,7 @@ after_sack_rexmit:
 		flags &= ~TH_FIN;
 	}
 
-	if (len < 0) {
+	if (len <= 0) {
 		/*
 		 * If FIN has been sent but not acked,
 		 * but we haven't been called to retransmit,
@@ -407,9 +407,16 @@ after_sack_rexmit:
 		 * to (closed) window, and set the persist timer
 		 * if it isn't already going.  If the window didn't
 		 * close completely, just wait for an ACK.
+		 *
+		 * We also do a general check here to ensure that
+		 * we will set the persist timer when we have data
+		 * to send, but a 0-byte window. This makes sure
+		 * the persist timer is set even if the packet
+		 * hits one of the "goto send" lines below.
 		 */
 		len = 0;
-		if (sendwin == 0) {
+		if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+			(off < (int) so->so_snd.sb_cc)) {
 			tcp_timer_activate(tp, TT_REXMT, 0);
 			tp->t_rxtshift = 0;
 			tp->snd_nxt = tp->snd_una;

More information about the svn-src-all mailing list