-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:20 Security Advisory
FreeBSD, Inc.

Topic: syncache/syncookies denial of service

Category: core
Module: net
Announced: 2002-04-16
Credits: Alan Judge <[email protected]>
Dima Ruban <[email protected]>
Affects: FreeBSD 4.5-RELEASE
FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC
FreeBSD 4.5-STABLE prior to the correction date
Corrected: 2002-02-20 16:48:49 UTC (RELENG_4)
2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)
FreeBSD only: YES

I. Background

The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are
features of the TCP/IP stack intended to improve resistance to a class
of denial of service attacks known as SYN floods.

II. Problem Description

Two related problems with syncache were triggered when syncookies were
implemented.

1) When a SYN was accepted via a syncookie, it used an uninitialized
pointer to find the TCP options for the new socket. This pointer may
be a null pointer, which will cause the machine to crash.

2) A syncache entry is created when a SYN arrives on a listen socket.
If the application which created the listen socket was killed and
restarted — and therefore recreated the listen socket with a
different inpcb — an ACK (or duplicate SYN) which later arrived and
matched the existing syncache entry would cause a reference to the old
inpcb pointer. Depending on the pointer's contents, this might result
in a system crash.

Because syncache/syncookies support was added prior to the release of
FreeBSD 4.5-RELEASE, no other releases are affected.

III. Impact

Legitimate TCP/IP traffic may cause the machine to crash.

IV. Workaround

The first issue described may be worked around by disabling syncookies
using sysctl. Issue the following command as root:

sysctl -w net.inet.tcp.syncookies=0

However, there is no workaround for the second issue.

V. Solution

1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5
security branch dated after the respective correction dates.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch

fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc

This patch has been verified to apply to 4.5-RELEASE only.

Verify the detached PGP signature using your PGP utility.

Execute the following commands as root:

cd /usr/src

patch -p < /path/to/patch

Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path Revision
Branch

---

src/sys/conf/newvers.sh
RELENG_4_5 1.44.2.20.2.2
src/sys/netinet/tcp_syncache.c
RELENG_4 1.5.2.5
RELENG_4_5 1.5.2.4.2.1

---

VII. References

<URL:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=34658&gt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPLw9nVUuHi5z0oilAQFwpAP9EJludFfmQfMWU4supMdZ1K//qeqgtJVn
XrEX3TZjqOxRSnlzUUibbO2agnW7yCd8i2Qq0/3KyvMrcS4qSLmcvhQPsZxc26Bx
Xakz3uvCRIA0XlpJAd/HirsdPHQ94q0JMdnx6C1kW+EMQzM/0KKLpVNsdnFopy0m
mtPNSZRYgHk=
=9qwI
-----END PGP SIGNATURE-----