CVS commit: src/sys/netinet

Mon, 07 Oct 2024 23:17:22 -0700 

Module Name:    src
Committed By:   rin
Date:           Tue Oct  8 06:17:14 UTC 2024

Modified Files:
        src/sys/netinet: tcp_input.c

Log Message:
tcp_reass: Mitigate CVE-2018-6922 (SegmentSmack)

at a level of FreeBSD, by introducing an arbitrary (100) limit to
the length of TCP reassembly queues:

https://github.com/freebsd/freebsd-src/commit/95a914f6316874f5b0c45d491f2843dc810071ef

Originally authored by ryo@.

We thank Tomoyuki Sahara <tsahara at iij>, who has analyzed the
problem again, updated the patch, and carried out experiments for
vulnerability scenarios. The confidential PR below is based on
his work.

PR security/58708


To generate a diff of this commit:
cvs rdiff -u -r1.440 -r1.441 src/sys/netinet/tcp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.440 src/sys/netinet/tcp_input.c:1.441
--- src/sys/netinet/tcp_input.c:1.440	Fri Jul  5 04:31:54 2024
+++ src/sys/netinet/tcp_input.c	Tue Oct  8 06:17:14 2024
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.440 2024/07/05 04:31:54 rin Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.441 2024/10/08 06:17:14 rin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -138,7 +138,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.440 2024/07/05 04:31:54 rin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.441 2024/10/08 06:17:14 rin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -231,6 +231,8 @@ int	tcp_autorcvbuf_inc = 16 * 1024;
 int	tcp_autorcvbuf_max = 256 * 1024;
 int	tcp_msl = (TCPTV_MSL / PR_SLOWHZ);
 
+int tcp_reass_maxqueuelen = 100;
+
 static int tcp_rst_ppslim_count = 0;
 static struct timeval tcp_rst_ppslim_last;
 static int tcp_ackdrop_ppslim_count = 0;
@@ -707,6 +709,13 @@ tcp_reass(struct tcpcb *tp, const struct
 #endif
 
 insert_it:
+	/* limit tcp segments per reassembly queue */
+	if (tp->t_segqlen > tcp_reass_maxqueuelen) {
+		TCP_STATINC(TCP_STAT_RCVMEMDROP);
+		m_freem(m);
+		goto out;
+	}
+
 	/*
 	 * Allocate a new queue entry (block) since the received segment
 	 * did not collapse onto any other out-of-order block. If it had

Reply via email to