svn commit: r265125 - in releng: 8.3 8.3/sys/conf 8.3/sys/netinet 8.4 8.4/sys/conf 8.4/sys/netinet 9.1 9.1/sys/conf 9.1/sys/netinet 9.2 9.2/sys/conf 9.2/sys/netinet
Xin LI
delphij at FreeBSD.org
Wed Apr 30 04:05:50 UTC 2014
Author: delphij
Date: Wed Apr 30 04:05:47 2014
New Revision: 265125
URL: http://svnweb.freebsd.org/changeset/base/265125
Log:
Fix TCP reassembly vulnerability.
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Approved by: so
Modified:
releng/8.3/UPDATING
releng/8.3/sys/conf/newvers.sh
releng/8.3/sys/netinet/tcp_reass.c
releng/8.4/UPDATING
releng/8.4/sys/conf/newvers.sh
releng/8.4/sys/netinet/tcp_reass.c
releng/9.1/UPDATING
releng/9.1/sys/conf/newvers.sh
releng/9.1/sys/netinet/tcp_reass.c
releng/9.2/UPDATING
releng/9.2/sys/conf/newvers.sh
releng/9.2/sys/netinet/tcp_reass.c
Modified: releng/8.3/UPDATING
==============================================================================
--- releng/8.3/UPDATING Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/8.3/UPDATING Wed Apr 30 04:05:47 2014 (r265125)
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20140430: p16 FreeBSD-SA-14:08.tcp
+
+ Fix TCP reassembly vulnerability. [SA-14:08]
+
20140408: p15 FreeBSD-SA-14:05.nfsserver
FreeBSD-SA-14:06.openssl
Fix deadlock in the NFS server. [SA-14:05]
Modified: releng/8.3/sys/conf/newvers.sh
==============================================================================
--- releng/8.3/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/8.3/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.3"
-BRANCH="RELEASE-p15"
+BRANCH="RELEASE-p16"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.3/sys/netinet/tcp_reass.c
==============================================================================
--- releng/8.3/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/8.3/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125)
@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/8.4/UPDATING Wed Apr 30 04:05:47 2014 (r265125)
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20140430: p9 FreeBSD-SA-14:08.tcp
+
+ Fix TCP reassembly vulnerability. [SA-14:08]
+
20140408: p8 FreeBSD-SA-14:05.nfsserver
FreeBSD-SA-14:06.openssl
Fix deadlock in the NFS server. [SA-14:05]
Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/8.4/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.4"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.4/sys/netinet/tcp_reass.c
==============================================================================
--- releng/8.4/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/8.4/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125)
@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
Modified: releng/9.1/UPDATING
==============================================================================
--- releng/9.1/UPDATING Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/9.1/UPDATING Wed Apr 30 04:05:47 2014 (r265125)
@@ -9,6 +9,10 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20140430: p12 FreeBSD-SA-14:08.tcp
+
+ Fix TCP reassembly vulnerability. [SA-14:08]
+
20140408: p11 FreeBSD-SA-14:05.nfsserver
FreeBSD-SA-14:06.openssl
Fix deadlock in the NFS server. [SA-14:05]
Modified: releng/9.1/sys/conf/newvers.sh
==============================================================================
--- releng/9.1/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/9.1/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.1"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.1/sys/netinet/tcp_reass.c
==============================================================================
--- releng/9.1/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/9.1/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125)
@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
Modified: releng/9.2/UPDATING
==============================================================================
--- releng/9.2/UPDATING Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/9.2/UPDATING Wed Apr 30 04:05:47 2014 (r265125)
@@ -11,6 +11,10 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20140430: p5 FreeBSD-SA-14:08.tcp
+
+ Fix TCP reassembly vulnerability. [SA-14:08]
+
20140408: p4 FreeBSD-SA-14:05.nfsserver
FreeBSD-SA-14:06.openssl
Fix deadlock in the NFS server. [SA-14:05]
Modified: releng/9.2/sys/conf/newvers.sh
==============================================================================
--- releng/9.2/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/9.2/sys/conf/newvers.sh Wed Apr 30 04:05:47 2014 (r265125)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.2"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.2/sys/netinet/tcp_reass.c
==============================================================================
--- releng/9.2/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014 (r265124)
+++ releng/9.2/sys/netinet/tcp_reass.c Wed Apr 30 04:05:47 2014 (r265125)
@@ -205,7 +205,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -228,7 +228,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -276,7 +276,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
More information about the svn-src-releng
mailing list