Re: Heads Up: Accept filters fixed

2002-05-03 Thread D J Hawkey Jr 

In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] writes:
> 
> Just a quick note for those of you using accept filters with a 4.4+ kernel
> using the syncache:  Your accept filters are broken, and easily DoSable.
> 
> The fix (attached) has now been committed to both 5.0 and 4.5, so I
> recommend doing one of two things if you're using accept filters:
> 
> 1.  Stop using them.

How does one know if one is? No man page(s) on "syncache", but I did
glean this:

[sheol] ~$ sysctl -a |grep syncache
syncache:160,15359,  0, 51,   95
net.inet.tcp.syncache.bucketlimit: 30
net.inet.tcp.syncache.cachelimit: 15359
net.inet.tcp.syncache.count: 0
net.inet.tcp.syncache.hashsize: 512
net.inet.tcp.syncache.rexmtlimit: 3

How does one set up filters and tear them down?

Regarding another reply: Whom do I lobby to get this into RELENG_4_5?
I don't want to have to re-apply this patch after every 'cvsup'...

TIA,
Dave

-- 

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message

Re: Heads Up: Accept filters fixed

2002-04-30 Thread Garance A Drosihn 

At 11:07 PM -0500 4/30/02, Mike Silbersack wrote:
>Just a quick note for those of you using accept filters with
>a 4.4+ kernel using the syncache:  Your accept filters are
>broken, and easily DoSable.
>
>The fix (attached) has now been committed to both 5.0 and 4.5,
>so I recommend doing one of two things if you're using accept
>filters:

How seriously are they broken?
Should this be MFC'ed into RELENG_4_5 ?  (security-patches branch)

-- 
Garance Alistair Drosehn=   [EMAIL PROTECTED]
Senior Systems Programmer   or  [EMAIL PROTECTED]
Rensselaer Polytechnic Instituteor  [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message

Heads Up: Accept filters fixed

2002-04-30 Thread Mike Silbersack 

Just a quick note for those of you using accept filters with a 4.4+ kernel
using the syncache:  Your accept filters are broken, and easily DoSable.

The fix (attached) has now been committed to both 5.0 and 4.5, so I
recommend doing one of two things if you're using accept filters:

1.  Stop using them.

2.  Patch or cvsup and rebuild your kernel.

Mike "Silby" Silbersack

-- Forwarded message --
Date: Tue, 30 Apr 2002 20:27:35 -0700 (PDT)
From: Mike Silbersack <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: cvs commit: src/sys/kern uipc_socket.c uipc_socket2.c

silby   2002/04/30 20:27:35 PDT

  Modified files:(Branch: RELENG_4)
sys/kern uipc_socket.c uipc_socket2.c
  Log:
  MFC:

Make sure that sockets undergoing accept filtering are aborted in a
LRU fashion when the listen queue fills up.  Previously, there was
no mechanism to kick out old sockets, leading to an easy DoS of
daemons using accept filtering.

Revision  ChangesPath
1.116 +1 -2  src/sys/kern/uipc_socket.c
1.87  +7 -1  src/sys/kern/uipc_socket2.c

  Revision   ChangesPath
  1.68.2.21  +1 -2  src/sys/kern/uipc_socket.c
  1.55.2.14  +7 -1  src/sys/kern/uipc_socket2.c


diff -u -r /usr/src/sys.old/kern/uipc_socket.c /usr/src/sys/kern/uipc_socket.c
--- /usr/src/sys.old/kern/uipc_socket.c Thu Apr 25 01:24:24 2002
+++ /usr/src/sys/kern/uipc_socket.c Thu Apr 25 01:28:40 2002
@@ -257,7 +257,6 @@
} else {
panic("sofree: not queued");
}
-   head->so_qlen--;
so->so_state &= ~SS_INCOMP;
so->so_head = NULL;
}
@@ -1642,6 +1641,6 @@
 {
struct socket *so = (struct socket *)kn->kn_fp->f_data;
 
-   kn->kn_data = so->so_qlen - so->so_incqlen;
+   kn->kn_data = so->so_qlen;
return (! TAILQ_EMPTY(&so->so_comp));
 }
diff -u -r /usr/src/sys.old/kern/uipc_socket2.c /usr/src/sys/kern/uipc_socket2.c
--- /usr/src/sys.old/kern/uipc_socket2.cThu Apr 25 01:24:24 2002
+++ /usr/src/sys/kern/uipc_socket2.cThu Apr 25 16:43:37 2002
@@ -123,6 +123,7 @@
head->so_incqlen--;
so->so_state &= ~SS_INCOMP;
TAILQ_INSERT_TAIL(&head->so_comp, so, so_list);
+   head->so_qlen++;
so->so_state |= SS_COMP;
sorwakeup(head);
wakeup_one(&head->so_timeo);
@@ -251,12 +252,17 @@
if (connstatus) {
TAILQ_INSERT_TAIL(&head->so_comp, so, so_list);
so->so_state |= SS_COMP;
+   head->so_qlen++;
} else {
+   if (head->so_incqlen >= head->so_qlimit) {
+   struct socket *sp;
+   sp = TAILQ_FIRST(&head->so_incomp);
+   (void) soabort(sp);
+   }
TAILQ_INSERT_TAIL(&head->so_incomp, so, so_list);
so->so_state |= SS_INCOMP;
head->so_incqlen++;
}
-   head->so_qlen++;
if (connstatus) {
sorwakeup(head);
wakeup((caddr_t)&head->so_timeo);