Author: delphij
Date: Tue Jul 21 23:42:56 2015
New Revision: 285780
URL: https://svnweb.freebsd.org/changeset/base/285780
Log:
Fix resource exhaustion due to sessions stuck in LAST_ACK state.
Security: CVE-2015-5358
Security: SA-15:13.tcp
Submitted by: Jonathan Looney (Juniper SIRT)
Approved by: so
Modified:
releng/10.1/UPDATING
releng/10.1/sys/conf/newvers.sh
releng/10.1/sys/netinet/tcp_output.c
releng/8.4/UPDATING
releng/8.4/sys/conf/newvers.sh
releng/8.4/sys/netinet/tcp_output.c
releng/9.3/UPDATING
releng/9.3/sys/conf/newvers.sh
releng/9.3/sys/netinet/tcp_output.c
Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING Tue Jul 21 23:42:20 2015 (r285779)
+++ releng/10.1/UPDATING Tue Jul 21 23:42:56 2015 (r285780)
@@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20150721: p15 FreeBSD-SA-15:13.tcp
+
+ Fix resource exhaustion due to sessions stuck in LAST_ACK state.
+ [SA-15:13]
+
20150630: p14 FreeBSD-EN-15:08.sendmail [revised]
FreeBSD-EN-15:09.xlocale
FreeBSD-EN-15:10.iconv
Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh Tue Jul 21 23:42:20 2015
(r285779)
+++ releng/10.1/sys/conf/newvers.sh Tue Jul 21 23:42:56 2015
(r285780)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.1"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/10.1/sys/netinet/tcp_output.c
==============================================================================
--- releng/10.1/sys/netinet/tcp_output.c Tue Jul 21 23:42:20 2015
(r285779)
+++ releng/10.1/sys/netinet/tcp_output.c Tue Jul 21 23:42:56 2015
(r285780)
@@ -400,7 +400,7 @@ after_sack_rexmit:
flags &= ~TH_FIN;
}
- if (len < 0) {
+ if (len <= 0) {
/*
* If FIN has been sent but not acked,
* but we haven't been called to retransmit,
@@ -410,9 +410,16 @@ after_sack_rexmit:
* to (closed) window, and set the persist timer
* if it isn't already going. If the window didn't
* close completely, just wait for an ACK.
+ *
+ * We also do a general check here to ensure that
+ * we will set the persist timer when we have data
+ * to send, but a 0-byte window. This makes sure
+ * the persist timer is set even if the packet
+ * hits one of the "goto send" lines below.
*/
len = 0;
- if (sendwin == 0) {
+ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ (off < (int) so->so_snd.sb_cc)) {
tcp_timer_activate(tp, TT_REXMT, 0);
tp->t_rxtshift = 0;
tp->snd_nxt = tp->snd_una;
Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING Tue Jul 21 23:42:20 2015 (r285779)
+++ releng/8.4/UPDATING Tue Jul 21 23:42:56 2015 (r285780)
@@ -15,6 +15,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20150721: p34 FreeBSD-SA-15:13.tcp
+
+ Fix resource exhaustion due to sessions stuck in LAST_ACK state.
+ [SA-15:13]
+
20150707: p33 FreeBSD-SA-15:11.bind
Fix BIND resolver remote denial of service when validating.
Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh Tue Jul 21 23:42:20 2015
(r285779)
+++ releng/8.4/sys/conf/newvers.sh Tue Jul 21 23:42:56 2015
(r285780)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.4"
-BRANCH="RELEASE-p33"
+BRANCH="RELEASE-p34"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.4/sys/netinet/tcp_output.c
==============================================================================
--- releng/8.4/sys/netinet/tcp_output.c Tue Jul 21 23:42:20 2015
(r285779)
+++ releng/8.4/sys/netinet/tcp_output.c Tue Jul 21 23:42:56 2015
(r285780)
@@ -398,7 +398,7 @@ after_sack_rexmit:
flags &= ~TH_FIN;
}
- if (len < 0) {
+ if (len <= 0) {
/*
* If FIN has been sent but not acked,
* but we haven't been called to retransmit,
@@ -408,9 +408,16 @@ after_sack_rexmit:
* to (closed) window, and set the persist timer
* if it isn't already going. If the window didn't
* close completely, just wait for an ACK.
+ *
+ * We also do a general check here to ensure that
+ * we will set the persist timer when we have data
+ * to send, but a 0-byte window. This makes sure
+ * the persist timer is set even if the packet
+ * hits one of the "goto send" lines below.
*/
len = 0;
- if (sendwin == 0) {
+ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ (off < (int) so->so_snd.sb_cc)) {
tcp_timer_activate(tp, TT_REXMT, 0);
tp->t_rxtshift = 0;
tp->snd_nxt = tp->snd_una;
Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING Tue Jul 21 23:42:20 2015 (r285779)
+++ releng/9.3/UPDATING Tue Jul 21 23:42:56 2015 (r285780)
@@ -11,6 +11,11 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20150721: p20 FreeBSD-SA-15:13.tcp
+
+ Fix resource exhaustion due to sessions stuck in LAST_ACK state.
+ [SA-15:13]
+
20150707: p19 FreeBSD-SA-15:11.bind
Fix BIND resolver remote denial of service when validating.
Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh Tue Jul 21 23:42:20 2015
(r285779)
+++ releng/9.3/sys/conf/newvers.sh Tue Jul 21 23:42:56 2015
(r285780)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p19"
+BRANCH="RELEASE-p20"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.3/sys/netinet/tcp_output.c
==============================================================================
--- releng/9.3/sys/netinet/tcp_output.c Tue Jul 21 23:42:20 2015
(r285779)
+++ releng/9.3/sys/netinet/tcp_output.c Tue Jul 21 23:42:56 2015
(r285780)
@@ -397,7 +397,7 @@ after_sack_rexmit:
flags &= ~TH_FIN;
}
- if (len < 0) {
+ if (len <= 0) {
/*
* If FIN has been sent but not acked,
* but we haven't been called to retransmit,
@@ -407,9 +407,16 @@ after_sack_rexmit:
* to (closed) window, and set the persist timer
* if it isn't already going. If the window didn't
* close completely, just wait for an ACK.
+ *
+ * We also do a general check here to ensure that
+ * we will set the persist timer when we have data
+ * to send, but a 0-byte window. This makes sure
+ * the persist timer is set even if the packet
+ * hits one of the "goto send" lines below.
*/
len = 0;
- if (sendwin == 0) {
+ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ (off < (int) so->so_snd.sb_cc)) {
tcp_timer_activate(tp, TT_REXMT, 0);
tp->t_rxtshift = 0;
tp->snd_nxt = tp->snd_una;
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
