Page MenuHomeFreeBSD
Differential D27418

Fix SAD DNS Exploit CVE-2020-25705
AbandonedPublic
Actions

Authored by cy on Nov 30 2020, 3:10 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 11, 1:43 PM
Unknown Object (File)
Jan 26 2024, 11:05 PM
Unknown Object (File)
Dec 20 2023, 6:53 AM
Unknown Object (File)
Nov 26 2023, 11:08 AM
Unknown Object (File)
Nov 22 2023, 9:59 AM
Unknown Object (File)
Nov 11 2023, 2:08 PM
Unknown Object (File)
Nov 11 2023, 11:35 AM
Unknown Object (File)
Nov 11 2023, 9:49 AM
View All 21 Files
Subscribers
imp
yuripv

Details

Reviewers
mjg
melifaro
bz
glebius
emaste
Summary

https://www.saddns.net/ discusses a DNS poisoning attack by leveraging network side channels by attempting to solicit ICMP_UNREACH_PORT replies. The source port number can be inferred from the rate at which ICMP_UNREACH_PORT is rate limited. The solution, as implemented on Linux, is randomize rate limiting. This patch randomizes icmplim with a modulus of a random number divided by icmplim. This patch introduces a new icmpden (ICMP denominator) which is used to calculate the modulus. An icmpden of zero disables randomization.

Test Plan

To be determined at the moment.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

cy created this revision.Nov 30 2020, 3:10 AM
Herald added a subscriber: imp. · View Herald TranscriptNov 30 2020, 3:10 AM
cy requested review of this revision.Nov 30 2020, 3:10 AM
Harbormaster completed remote builds in B35114: Diff 80136.Nov 30 2020, 3:10 AM
cy updated this revision to Diff 80137.Nov 30 2020, 3:11 AM

Use git diff -U99999 instead of git diff to create this patch. No functional change.

emaste added a comment.Nov 30 2020, 2:43 PM

See also D27354

cy added a comment.Nov 30 2020, 3:54 PM

This patch is significantly smaller. The difference is icmplim could be exceeded by the modulus of the divisor whereas gnn's patch uses icmplim as an upper limit.

yuripv added a subscriber: yuripv.Nov 30 2020, 8:18 PM
yuripv added inline comments.
sys/netinet/ip_icmp.c
1141

Should the rest of the function use icmp_bandlim instead of V_icmplim?

cy abandoned this revision.Dec 1 2020, 12:42 AM

See https://reviews.freebsd.org/D27354 instead.

Revision Contents
Changeset List

PathSize
sys/
netinet/
11 lines

Diff 80137

View Options

sys/netinet/ip_icmp.c

Loading...