lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Jun 2008 09:31:02 -0700 From: "Adam Langley" <agl@...erialviolet.org> To: "James Morris" <jmorris@...ei.org> Cc: netdev@...r.kernel.org Subject: Re: [PATCH] Fix corrupt TCP packets when options space overflows with MD5SIG enabled On Sun, Jun 1, 2008 at 4:40 PM, James Morris <jmorris@...ei.org> wrote: > Reviewed-by: James Morris <jmorris@...ei.org> Looking at this code some more, I fear that I've fucked up that patch. The logic for TCP options seems to be duplicated three times in the code: the size calculation (patched), the building of the actual options (tcp_build_and_update_options / tcp_syn_build_options) and the MSS calculations (tcp_current_mss). It looks, on second glance, that this code in tcp_build_and_update_options will include the options even though we calculated the size without: if (tp->rx_opt.eff_sacks) { struct tcp_sack_block *sp = tp->rx_opt.dsack ? tp->duplicate_sack : tp->selective_acks; int this_sack; *ptr++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) | (TCPOPT_SACK << 8) | (TCPOLEN_SACK_BASE + (tp->rx_opt.eff_sacks * TCPOLEN_SACK_PERBLOCK))); ... Unless I'm missing something, that patch was incomplete and we're still sending invalid packets on in the MD5SIG + SACK case. If so, I'll try and get the other two cases with another patch. Additionally, it would appear that it would be useful to pull this logic into a single place: maybe a function which runs multiple times (to calculate the MSS / header size and a second time to actually perform the options writes). But that'll be a different patch. Cheers, AGL -- Adam Langley agl@...erialviolet.org http://www.imperialviolet.org -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists