src - FreeBSD source tree

diff options


context:
space:
mode:

author	Xin LI <delphij@FreeBSD.org>	2015-07-28 19:59:22 +0000
committer	Xin LI <delphij@FreeBSD.org>	2015-07-28 19:59:22 +0000
commit	fd0d21b4fd3336f5c478ad0c85756ad4641c3519 (patch)
tree	371744982340c872520e17c2aa0163a60bf8f609
parent	cf5f0e1f960546c3f9d97f911527433c3648f113 (diff)

Fix resource exhaustion in TCP reassembly. [SA-15:15]

Fix OpenSSH multiple vulnerabilities. [SA-15:16] Fix BIND remote denial of service vulnerability. [SA-15:17] Approved by: so

Notes

Notes: svn path=/releng/9.3/; revision=285980

Diffstat

-rw-r--r--

UPDATING

-rw-r--r--

contrib/bind9/lib/dns/tkey.c

-rw-r--r--

crypto/openssh/auth2-chall.c

-rw-r--r--

crypto/openssh/sshconnect.c

-rw-r--r--

sys/conf/newvers.sh

-rw-r--r--

sys/netinet/tcp_reass.c

-rw-r--r--

sys/netinet/tcp_subr.c

-rw-r--r--

sys/netinet/tcp_var.h

8 files changed, 72 insertions, 61 deletions

diff --git a/UPDATING b/UPDATING
index 124467c39f00..c5a3881171b7 100644
--- a/UPDATING
+++ b/UPDATING

@@ -11,6 +11,16 @@ handbook:

Items affecting the ports and packages system can be found in

/usr/ports/UPDATING. Please read that file before running portupgrade.

+20150728: p21 FreeBSD-SA-15:15.tcp

+ FreeBSD-SA-15:16.openssh

+ FreeBSD-SA-15:17.bind

+ Fix resource exhaustion in TCP reassembly. [SA-15:15]

+ Fix OpenSSH multiple vulnerabilities. [SA-15:16]

+ Fix BIND remote denial of service vulnerability. [SA-15:17]

20150721: p20 FreeBSD-SA-15:13.tcp

Fix resource exhaustion due to sessions stuck in LAST_ACK state.

diff --git a/contrib/bind9/lib/dns/tkey.c b/contrib/bind9/lib/dns/tkey.c
index 11b4f49eb04b..ada26bc08b58 100644
--- a/contrib/bind9/lib/dns/tkey.c
+++ b/contrib/bind9/lib/dns/tkey.c

@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,

* Try the answer section, since that's where Win2000

* puts it.

+ name = NULL;

if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,

dns_rdatatype_tkey, 0, &name,

&tkeyset) != ISC_R_SUCCESS) {

diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c
index 980250a91c3e..791be5ca3c9f 100644
--- a/crypto/openssh/auth2-chall.c
+++ b/crypto/openssh/auth2-chall.c

@@ -82,6 +82,7 @@ struct KbdintAuthctxt

void *ctxt;

KbdintDevice *device;

u_int nreq;

+ u_int devices_done;

};

#ifdef USE_PAM

@@ -168,11 +169,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)

if (len == 0)

break;

for (i = 0; devices[i]; i++) {

- if (!auth2_method_allowed(authctxt,

+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||

+ !auth2_method_allowed(authctxt,

"keyboard-interactive", devices[i]->name))

continue;

- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)

+ if (strncmp(kbdintctxt->devices, devices[i]->name,

+ len) == 0) {

kbdintctxt->device = devices[i];

+ kbdintctxt->devices_done |= 1 << i;

+ }

}

t = kbdintctxt->devices;

kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;

diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index fd8ad1dd3348..25ced5735dc6 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c

@@ -1247,29 +1247,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)

{

int flags = 0;

char *fp;

+ Key *plain = NULL;

fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);

debug("Server host key: %s %s", key_type(host_key), fp);

free(fp);

- /* XXX certs are not yet supported for DNS */

- if (!key_is_cert(host_key) && options.verify_host_key_dns &&

- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {

- if (flags & DNS_VERIFY_FOUND) {

- if (options.verify_host_key_dns == 1 &&

- flags & DNS_VERIFY_MATCH &&

- flags & DNS_VERIFY_SECURE)

- return 0;

- if (flags & DNS_VERIFY_MATCH) {

- matching_host_key_dns = 1;

- } else {

- warn_changed_key(host_key);

- error("Update the SSHFP RR in DNS with the new "

- "host key to get rid of this message.");

+ if (options.verify_host_key_dns) {

+ /*

+ * XXX certs are not yet supported for DNS, so downgrade

+ * them and try the plain key.

+ */

+ plain = key_from_private(host_key);

+ if (key_is_cert(plain))

+ key_drop_cert(plain);

+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {

+ if (flags & DNS_VERIFY_FOUND) {

+ if (options.verify_host_key_dns == 1 &&

+ flags & DNS_VERIFY_MATCH &&

+ flags & DNS_VERIFY_SECURE) {

+ key_free(plain);

+ return 0;

+ }

+ if (flags & DNS_VERIFY_MATCH) {

+ matching_host_key_dns = 1;

+ } else {

+ warn_changed_key(plain);

+ error("Update the SSHFP RR in DNS "

+ "with the new host key to get rid "

+ "of this message.");

+ }

}

+ key_free(plain);

}

return check_host_key(host, hostaddr, options.port, host_key, RDRW,

diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 3b7d9afe5035..658f8a57cc7a 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh

@@ -32,7 +32,7 @@

TYPE="FreeBSD"

REVISION="9.3"

-BRANCH="RELEASE-p20"

+BRANCH="RELEASE-p21"

if [ "X${BRANCH_OVERRIDE}" != "X" ]; then

BRANCH=${BRANCH_OVERRIDE}

diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index f0af825a52a3..506340d307de 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c

@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS);

static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,

"TCP Segment Reassembly Queue");

-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;

-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)

-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,

- &VNET_NAME(tcp_reass_maxseg), 0,

+static int tcp_reass_maxseg = 0;

+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,

+ &tcp_reass_maxseg, 0,

"Global maximum number of TCP Segments in Reassembly Queue");

-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,

+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,

(CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",

"Global number of TCP Segments currently in Reassembly Queue");

-static VNET_DEFINE(int, tcp_reass_overflows) = 0;

-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)

-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,

+static int tcp_reass_overflows = 0;

+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,

CTLTYPE_INT | CTLFLAG_RD,

- &VNET_NAME(tcp_reass_overflows), 0,

+ &tcp_reass_overflows, 0,

"Global number of TCP Segment Reassembly Queue Overflows");

-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);

-#define V_tcp_reass_zone VNET(tcp_reass_zone)

+static uma_zone_t tcp_reass_zone;

/* Initialize TCP reassembly queue */

static void

@@ -105,36 +102,27 @@ tcp_reass_zone_change(void *tag)

{

/* Set the zone limit and read back the effective value. */

- V_tcp_reass_maxseg = nmbclusters / 16;

- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,

- V_tcp_reass_maxseg);

+ tcp_reass_maxseg = nmbclusters / 16;

+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,

+ tcp_reass_maxseg);

}

void

-tcp_reass_init(void)

+tcp_reass_global_init(void)

{

- V_tcp_reass_maxseg = nmbclusters / 16;

+ tcp_reass_maxseg = nmbclusters / 16;

TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",

- &V_tcp_reass_maxseg);

- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),

+ &tcp_reass_maxseg);

+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),

NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);

/* Set the zone limit and read back the effective value. */

- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,

- V_tcp_reass_maxseg);

+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,

+ tcp_reass_maxseg);

EVENTHANDLER_REGISTER(nmbclusters_change,

tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);

}

-#ifdef VIMAGE

-void

-tcp_reass_destroy(void)

- uma_zdestroy(V_tcp_reass_zone);

-#endif

void

tcp_reass_flush(struct tcpcb *tp)

{

@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)

while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {

LIST_REMOVE(qe, tqe_q);

m_freem(qe->tqe_m);

- uma_zfree(V_tcp_reass_zone, qe);

+ uma_zfree(tcp_reass_zone, qe);

tp->t_segqlen--;

}

@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)

{

int qsize;

- qsize = uma_zone_get_cur(V_tcp_reass_zone);

+ qsize = uma_zone_get_cur(tcp_reass_zone);

return (sysctl_handle_int(oidp, &qsize, 0, req));

}

@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)

if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&

tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {

- V_tcp_reass_overflows++;

+ tcp_reass_overflows++;

TCPSTAT_INC(tcps_rcvmemdrop);

m_freem(m);

*tlenp = 0;

@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)

* Use a temporary structure on the stack for the missing segment

* when the zone is exhausted. Otherwise we may get stuck.

- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);

+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);

if (te == NULL) {

if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {

TCPSTAT_INC(tcps_rcvmemdrop);

@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)

TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);

m_freem(m);

if (te != &tqs)

- uma_zfree(V_tcp_reass_zone, te);

+ uma_zfree(tcp_reass_zone, te);

tp->t_segqlen--;

* Try to present any queued data

@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)

nq = LIST_NEXT(q, tqe_q);

LIST_REMOVE(q, tqe_q);

m_freem(q->tqe_m);

- uma_zfree(V_tcp_reass_zone, q);

+ uma_zfree(tcp_reass_zone, q);

tp->t_segqlen--;

q = nq;

}

@@ -353,7 +341,7 @@ present:

else

sbappendstream_locked(&so->so_rcv, q->tqe_m);

if (q != &tqs)

- uma_zfree(V_tcp_reass_zone, q);

+ uma_zfree(tcp_reass_zone, q);

tp->t_segqlen--;

q = nq;

} while (q && q->tqe_th->th_seq == tp->rcv_nxt);

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 8f40d0bd58b5..8a81ecb78382 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c

@@ -314,7 +314,6 @@ tcp_init(void)

tcp_tw_init();

syncache_init();

tcp_hc_init();

- tcp_reass_init();

TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);

V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),

@@ -324,6 +323,8 @@ tcp_init(void)

if (!IS_DEFAULT_VNET(curvnet))

return;

+ tcp_reass_global_init();

/* XXX virtualize those bellow? */

tcp_delacktime = TCPTV_DELACK;

tcp_keepinit = TCPTV_KEEP_INIT;

@@ -371,7 +372,6 @@ void

tcp_destroy(void)

{

- tcp_reass_destroy();

tcp_hc_destroy();

syncache_destroy();

tcp_tw_destroy();

diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
index 171eafb6d8b0..6ecac51c5b4d 100644
--- a/sys/netinet/tcp_var.h
+++ b/sys/netinet/tcp_var.h

@@ -680,11 +680,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct tcphdr *, void *,

char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,

const void *);

int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);

-void tcp_reass_init(void);

+void tcp_reass_global_init(void);

void tcp_reass_flush(struct tcpcb *);

-#ifdef VIMAGE

-void tcp_reass_destroy(void);

-#endif

void tcp_input(struct mbuf *, int);

u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);

u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);