oss-sec mailing list archives
Re: CVE Request -- kernel: tcp: drop SYN+FIN messages
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 30 May 2012 14:02:49 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/30/2012 03:44 AM, John Haxby wrote:
Recently we have a couple of queries relating to a Nessus "TCP/IP
SYN+FIN Packet Filtering Weakness". This has not been helped by
the fact that [1] actually points (indrectly) to CVE-2002-2438
which is actually a SYN+RST problem.
The Nessus script actually appears to detect this problem (also
described in [2]):
commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa Author: Eric
Dumazet <eric.dumazet () gmail com> Date: Fri Dec 2 23:41:42 2011
+0000
tcp: drop SYN+FIN messages
Denys Fedoryshchenko reported that SYN+FIN attacks were bringing
his linux machines to their limits.
Dont call conn_request() if the TCP flags includes SYN flag
Reported-by: Denys Fedoryshchenko <denys () visp net lb>
Signed-off-by: Eric Dumazet <eric.dumazet () gmail com> Signed-off-by:
David S. Miller <davem () davemloft net>
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index
78dd38c..0cbb440 100644 --- a/net/ipv4/tcp_input.c +++
b/net/ipv4/tcp_input.c @@ -5811,6 +5811,8 @@ int
tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto
discard;
if (th->syn) { + if (th->fin) + goto
discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return
1;
References: [1]
http://www.nessus.org/plugins/index.php?view=single&id=11618 [2]
http://markmail.org/thread/l6y5vu3tub434z4w
Please use CVE-2012-2663 for this issue. This is tracked by Red Hat as: https://bugzilla.redhat.com/show_bug.cgi?id=826702 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPxnzpAAoJEBYNRVNeJnmT3vEP/1yuxgSa9FDZAhjO2TMIRemp Rn0D8skRAb5uQPu9fCgTHkRNliPSGwkiO/sVrN/GzpIYd92lEdCDe5OY7ZxI1fp6 Zvk2jlaAwooZHey5t/p+69pg8E2nMvkkR31tQEe2Yg0VvanLaCJflpoA+87ud144 Pq/0rxTTvz7q6HFuLbc1p9mHQ4grspMjYi7JuJTQnmjHmTbQbgisItFmx4tcT12D zi+Y3hc4Co1n3DeiV+vMOkVh/Mu1/wIlr3q4ivZbh2eHHqRjMZybn8+K5m7RKVxY db6KmE1GK2qNsV350u/eDXm0AqgrYVk6mrr5oQBo4LZ/ULLfrvPtgezvGC5YlfkQ gPw9VnaWH+PAEcX0NsBI14Sr4lvIwCjLb0YSgOL5x9/ZuzBI1b5poiB6Wo9JmFAz cbDvYXy3SH5pU3LvWX/U09+fXfhiXAlvTIxvPZ9UsJa4ufRbVpT8cDkZOLPVk68q geO2mBUc68hcDiJaCCU4knK9B/gYBU3Ach5QD9CxQ0cqZps1zv3Hc7aJiE8apQk0 ofZPqydbsD0uLN62OSw7qUkwnRb+I6BxaP7GNWuX6WVGwa8ihomMExR0PJij3VLq y8Z+9d697h7clufh4gmWep8D6zqJzLHHz909lZWXyXVT5p2UuiNDKPKaO0RNF3QO cHCIOEWP4L5e77OtYPG6 =DBWw -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Florian Weimer (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 07)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 08)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)