Diffusion FreeBSD src repository - subversion rS293910

There is a bug in tcp_output()'s implementation of the TCP_SIGNATURE
rS293910
Actions

Description

There is a bug in tcp_output()'s implementation of the TCP_SIGNATURE
(RFC 2385/TCP-MD5) kernel option.

If a tcpcb has TF_NOOPT flag, then tcp_addoptions() is not called,
and to.to_signature is an uninitialized stack variable. The value
is later used as write offset, which leads to writing to random
address.

Submitted by: rstone, jtl
Security: SA-16:05.tcp

Details

Provenance

glebius

Authored on

Parents

rS293909: Call crextend() before copying old credentials to the new credentials

Branches

Unknown

Tags

Unknown

Event Timeline

glebius committed rS293910: There is a bug in tcp_output()'s implementation of the TCP_SIGNATURE.Jan 14 2016, 10:22 AM

jtl mentioned this in D4809: TCP signature output-path cleanup.Jan 14 2016, 8:56 PM

Changes (1)

Path

Size

head/

sys/

netinet/

tcp_output.c

rS293910

View Options

head/sys/netinet/tcp_output.c